New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 1.1.1, Cryptoki 2.40, possibly Cryptoki v3 EdDSA features? #5
Comments
Hi Nicolas, Thank you for your interest. I am planning to work openssl 1.1 support before end of this year (i.e. before end of support of openssl 1.0). Migrating to 1.1 is actually not straightforward; the reason is because many internal object/APIs of openssl have been obfuscated now, and I will need to change the method for signing a CSR using a PKCS#11 interface; I actually need to write a small openssl engine, inspired from OpenSC/libp11. Support for EdDSA is a good idea, but this project isn't ready yet with 2.40. Support for v3 is likely to be disruptive, isn't it? I will need to have a look. Alternatively, if possible, we could cherry-pick support for EdDSA, assuming this could work under 2.X. |
Thanks for the quick response! Yes indeed openssl 1.1 is a bit disruptive isn't it; on the (non-enterprisey) distributions I use openssl 1.0 isn't even easily available anymore though. Regards to 25519, from what I can tell it's "just" three new constants plus implementation to cherry-pick this back into 2.40; I'm working on a patch for python-pkcs11. As linked above, SoftHSMv2 added support in their version 2.5, so I assume it there aren't any compatibility issues - it's new functionality. |
Just constants? Do you know which mechanisms this will affect? key pair generation/signature/verification, presumably? I can imagine, also, that another OID must be picked as signature algorithm, ( i.e. EdDSA instead of ECDSA). python-pkcs11 is another project I have been contributing recently. I'm on the watchers list, I'll check your patch once you have published your PR, to gather the information. Adding EdDSA as a distinct feature to develop, in my project plan. Stay tuned. |
Support for PKCS#2.40 fixed in v1.1.0 (commit 2ab2172) |
|
Hi @nickray, PKCS#11 3.0, OpenSSL 1.1.1 and Edwards curve is supported as of release v2.1.0. Regards, |
Hi Eric,
great project! I see in https://github.com/Mastercard/pkcs11-tools/projects/1 that you're planning to support OpenSSL 1.1 and update to Cryptoki 2.40, is this actively being worked on, in the sense having an idea when it will land?
Additionally, it would be great to already have support for EdDSA: it should be included in PKCS#11 version 3, there is a draft that looks close to final, and SoftHSMv2 added support in 2.5.
The text was updated successfully, but these errors were encountered: