Comments (10)
dengert
commented on August 31, 2024
1
pkcs11-tool support for using EDDSA was added in OpenSC 0.22.0 along with Ed25519 and others.
from softhsmv2.
dengert
commented on August 31, 2024
1
try pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so --keypairgen --key-type ec:edwards25519
Here is where it map the key-type for ec:
https://github.com/OpenSC/OpenSC/blob/master/src/tools/pkcs11-tool.c#L143
from softhsmv2.
dengert
commented on August 31, 2024
It looks like you are using OpenSC pkcs11-tool and I assume its opensc-pkcs11.so module
The only card driver in OpenSC that says it supports EDDSA or ED25519 is card-openpgp.c
try pkcs11-tool --module <path to lib softhsm2.so
from softhsmv2.
ehanoc
commented on August 31, 2024
It looks like you are using OpenSC pkcs11-tool and I assume its opensc-pkcs11.so module The only card driver in OpenSC that says it supports EDDSA or ED25519 is card-openpgp.c
try
pkcs11-tool --module <path to lib softhsm2.so
Hey @dengert
I'm using $ pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -M
Here's the full ouput:
Using slot 0 with a present token (0x0)
Supported mechanisms:
MD5, digest
SHA-1, digest
SHA224, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5-HMAC, keySize={16,512}, sign, verify
SHA-1-HMAC, keySize={20,512}, sign, verify
SHA224-HMAC, keySize={28,512}, sign, verify
SHA256-HMAC, keySize={32,512}, sign, verify
SHA384-HMAC, keySize={48,512}, sign, verify
SHA512-HMAC, keySize={64,512}, sign, verify
RSA-PKCS-KEY-PAIR-GEN, keySize={512,16384}, generate_key_pair
RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, unwrap
RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify
MD5-RSA-PKCS, keySize={512,16384}, sign, verify
SHA1-RSA-PKCS, keySize={512,16384}, sign, verify
RSA-PKCS-OAEP, keySize={512,16384}, encrypt, decrypt, wrap, unwrap
SHA224-RSA-PKCS, keySize={512,16384}, sign, verify
SHA256-RSA-PKCS, keySize={512,16384}, sign, verify
SHA384-RSA-PKCS, keySize={512,16384}, sign, verify
SHA512-RSA-PKCS, keySize={512,16384}, sign, verify
RSA-PKCS-PSS, keySize={512,16384}, sign, verify
SHA1-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
SHA224-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
SHA256-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
SHA384-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
SHA512-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
GENERIC-SECRET-KEY-GEN, keySize={1,2147483648}, generate
DES-KEY-GEN, generate
DES2-KEY-GEN, generate
DES3-KEY-GEN, generate
DES-ECB, encrypt, decrypt
DES-CBC, encrypt, decrypt
DES-CBC-PAD, encrypt, decrypt
DES-ECB-ENCRYPT-DATA, derive
DES-CBC-ENCRYPT-DATA, derive
DES3-ECB, encrypt, decrypt
DES3-CBC, encrypt, decrypt
DES3-CBC-PAD, encrypt, decrypt
DES3-ECB-ENCRYPT-DATA, derive
DES3-CBC-ENCRYPT-DATA, derive
DES3-CMAC, sign, verify
AES-KEY-GEN, keySize={16,32}, generate
AES-ECB, keySize={16,32}, encrypt, decrypt
AES-CBC, keySize={16,32}, encrypt, decrypt
AES-CBC-PAD, keySize={16,32}, encrypt, decrypt
AES-CTR, keySize={16,32}, encrypt, decrypt
AES-GCM, keySize={16,32}, encrypt, decrypt
AES-KEY-WRAP, keySize={16,2147483648}, wrap, unwrap
mechtype-0x210A, keySize={1,2147483648}, wrap, unwrap
AES-ECB-ENCRYPT-DATA, derive
AES-CBC-ENCRYPT-DATA, derive
AES-CMAC, keySize={16,32}, sign, verify
DSA-PARAMETER-GEN, keySize={512,1024}, generate
DSA-KEY-PAIR-GEN, keySize={512,1024}, generate_key_pair
DSA, keySize={512,1024}, sign, verify
DSA-SHA1, keySize={512,1024}, sign, verify
DSA-SHA224, keySize={512,1024}, sign, verify
DSA-SHA256, keySize={512,1024}, sign, verify
DSA-SHA384, keySize={512,1024}, sign, verify
DSA-SHA512, keySize={512,1024}, sign, verify
DH-PKCS-KEY-PAIR-GEN, keySize={512,10000}, generate_key_pair
DH-PKCS-PARAMETER-GEN, keySize={512,10000}, generate
DH-PKCS-DERIVE, keySize={512,10000}, derive
ECDSA-KEY-PAIR-GEN, keySize={112,521}, generate_key_pair, other flags=0x1900000
ECDSA, keySize={112,521}, sign, verify, other flags=0x1900000
ECDH1-DERIVE, keySize={112,521}, derive
mechtype-0x1055, keySize={256,456}, generate_key_pair
mechtype-0x1057, keySize={256,456}, sign, verify
from softhsmv2.
dengert
commented on August 31, 2024
Your version of pkcs11-tool is a bit old and does not have a mapping of mechtype to readable name:
mechtype-0x210A is CKM_AES_KEY_WRAP_PAD
mechtype-0x1055 is CKM_EC_EDWARDS_KEY_PAIR_GEN
mechtype-0x1057 is CKM_EDDSA
So it prints out the hex version of the attribute.
from softhsmv2.
ehanoc
commented on August 31, 2024
Thanks @dengert , you were right
I updated to 0.23 and now i can see the mechanisms properly
...
ECDSA-KEY-PAIR-GEN, keySize={112,521}, generate_key_pair, EC F_P, EC OID, EC uncompressed
ECDSA, keySize={112,521}, sign, verify, EC F_P, EC OID, EC uncompressed
ECDH1-DERIVE, keySize={112,521}, derive
EC-EDWARDS-KEY-PAIR-GEN, keySize={256,456}, generate_key_pair
EDDSA, keySize={256,456}, sign, verify
Now i just need to figure out why i can't create keys for those
$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so --keypairgen --key-type ec:ed25519
Using slot 0 with a present token (0x4b5f5e4b)
error: Unknown EC key params 'ed25519'
Aborting.
from softhsmv2.
ehanoc
commented on August 31, 2024
That seems to have moved things forward
I ran : $ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so --keypairgen --login --key-type EC:edwards25519 --usage-sign --usage-derive
But now getting a generic error:
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
from softhsmv2.
dengert
commented on August 31, 2024
Google for: edwards25519 vs curve25519
Sounds like one does not use same key for both sign and derive?
from softhsmv2.
ehanoc
commented on August 31, 2024
That makes sense. ed25519 for signing Curve25519 for deriving new keys, which is understandable.
I did try with only --usage-sign and without any options. Still error though.
Could be a pkcs11-tool thing rather than softhsm. Will try to dig through some of the implementation.
If i can get this sort it, i'l submit some documentation
from softhsmv2.
dengert
commented on August 31, 2024
You can use opensc-spy https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC to log all PKCS11 function calls between pkcs11-tool and libsofthsm2.so.
something like:
export PKCS11SPY=/usr/local/lib/softhsm/libsofthsm2.so
export PKCS11SPY_OUTPUT=/tmp/pkcs11-tool-spy.txt
pkcs11-tool --module=<path to>/pkcs11-spy.so --keypairgen --login --key-type EC:edwards25519 --usage-sign --usage-derive
from softhsmv2.
Related Issues (20)
- compile issue with openssl 3 backend on RHEL 8.5 machine HOT 1
- Configure fails with >= botan 3.0.0
- C_Decrypt sometimes fails to decrypt properly
- Import fails with RSA-PSS keys HOT 1
- SIGSEGV using OpenSSL 3 PKCS11 provider with SoftHSM2 + Botan HOT 1
- ECB is not supported by Botan HOT 1
- Getting SIGSEGV in EVP_MD_CTX_free HOT 1
- Implements RFC5649 as CKM_AES_KEY_WRAP_PAD but should actually be CKM_AES_KEY_WRAP_KWP
- Per-slot configuration
- openssl operations involving pcks11 and softHSM result in segfault on exit HOT 9
- AES/GCM multi-part decryption fails with CKR_BUFFER_TOO_SMALL HOT 1
- Unit Tests fails HOT 4
- Make check test fails on OS X HOT 2
- AES key file format for import HOT 1
- Possible problem with v2.6.1 with RHEL8 in FIPS mode and using Java 17 HOT 4
- Documentation for SoftHSM is inaccessible HOT 4
- Coredump / Alma/rhel 9 HOT 2
- decrypting scrambled ciphered text with RSA succeeded on RHEL9 unexpectedly
- SoftHSM on AIX
- Issues with configure option `--with-openssl=PATH`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from softhsmv2.