Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL 1.1.1, Cryptoki 2.40, possibly Cryptoki v3 EdDSA features? #5

Closed
nickray opened this issue Mar 24, 2019 · 6 comments
Closed

OpenSSL 1.1.1, Cryptoki 2.40, possibly Cryptoki v3 EdDSA features? #5

nickray opened this issue Mar 24, 2019 · 6 comments
Assignees
@keldonin
Labels
enhancement New feature or request

Comments

@nickray
Copy link

nickray commented Mar 24, 2019

Hi Eric,
great project! I see in https://github.com/Mastercard/pkcs11-tools/projects/1 that you're planning to support OpenSSL 1.1 and update to Cryptoki 2.40, is this actively being worked on, in the sense having an idea when it will land?

Additionally, it would be great to already have support for EdDSA: it should be included in PKCS#11 version 3, there is a draft that looks close to final, and SoftHSMv2 added support in 2.5.
@keldonin
Copy link
Contributor

Hi Nicolas,

Thank you for your interest. I am planning to work openssl 1.1 support before end of this year (i.e. before end of support of openssl 1.0).

Migrating to 1.1 is actually not straightforward; the reason is because many internal object/APIs of openssl have been obfuscated now, and I will need to change the method for signing a CSR using a PKCS#11 interface; I actually need to write a small openssl engine, inspired from OpenSC/libp11.

Support for EdDSA is a good idea, but this project isn't ready yet with 2.40. Support for v3 is likely to be disruptive, isn't it? I will need to have a look. Alternatively, if possible, we could cherry-pick support for EdDSA, assuming this could work under 2.X.

@keldonin keldonin self-assigned this Mar 25, 2019
@keldonin keldonin added the enhancement New feature or request label Mar 25, 2019
@nickray
Copy link
Author

nickray commented Mar 25, 2019

Thanks for the quick response! Yes indeed openssl 1.1 is a bit disruptive isn't it; on the (non-enterprisey) distributions I use openssl 1.0 isn't even easily available anymore though.

Regards to 25519, from what I can tell it's "just" three new constants plus implementation to cherry-pick this back into 2.40; I'm working on a patch for python-pkcs11. As linked above, SoftHSMv2 added support in their version 2.5, so I assume it there aren't any compatibility issues - it's new functionality.

@keldonin
Copy link
Contributor

Just constants? Do you know which mechanisms this will affect? key pair generation/signature/verification, presumably? I can imagine, also, that another OID must be picked as signature algorithm, ( i.e. EdDSA instead of ECDSA).

python-pkcs11 is another project I have been contributing recently. I'm on the watchers list, I'll check your patch once you have published your PR, to gather the information.

Adding EdDSA as a distinct feature to develop, in my project plan.

Stay tuned.

This was referenced Jan 15, 2020
Closed
Closed
Closed
@keldonin
Copy link
Contributor

Support for PKCS#2.40 fixed in v1.1.0 (commit 2ab2172)

@keldonin
Copy link
Contributor

@keldonin
Copy link
Contributor

Hi @nickray,

PKCS#11 3.0, OpenSSL 1.1.1 and Edwards curve is supported as of release v2.1.0.

Regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@keldonin keldonin

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nickray @keldonin