Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECDSA P-521 support in SoftHSMv2 #205

Closed
qbert2k opened this issue Apr 5, 2016 · 8 comments
Closed

ECDSA P-521 support in SoftHSMv2 #205

qbert2k opened this issue Apr 5, 2016 · 8 comments
Assignees
@bellgrim
Labels
bug
Milestone
2.2.0

Comments

@qbert2k
Copy link

qbert2k commented Apr 5, 2016

I was testing SoftHSMv2 through PKCS#11 and I found it is working fine for ECDSA algorithms ES256 and ES384 but it is not working for the algorithm ES512 (curve P-521)

Curve Curve Alias Curve OID Succeed
P-256 secp256r1 1.2.840.10045.3.1.7 Yes
P-384 secp384r1 1.3.132.0.34 Yes
P-521 secp521r1 1.3.132.0.35 No

Are there any plans for ECDSA with EC P-521 support?
@bellgrim
Copy link
Contributor

bellgrim commented Apr 6, 2016

I have not tested with P-521, but both Botan and OpenSSL should support it and thus also SoftHSM. Do you have more details from your tests? E.g error logs and library versions.

@justinburke
Copy link

I've run into this issue as well. The following diff adds a failing test for secp521r1:
justinburke@48fd634

@matthauck
Copy link
Contributor

Running into this as well. Would be great to add support for secp521r1

@bellgrim bellgrim added this to the 2.2.0 milestone Aug 13, 2016
@bellgrim bellgrim self-assigned this Aug 13, 2016
@rolandshoemaker rolandshoemaker mentioned this issue Aug 31, 2016
Closed
bellgrim added a commit to bellgrim/SoftHSMv2 that referenced this issue Sep 2, 2016
@bellgrim
Issue opendnssec#205: ECDSA P-521 support for OpenSSL and better test…
7d842c5 
… coverage.
@bellgrim bellgrim added bug and removed enhancement labels Sep 2, 2016
@bellgrim
Copy link
Contributor

bellgrim commented Sep 2, 2016
edited
Loading

The problem was in the OpenSSL crypto backend for SoftHSM. It could not handle EC points larger than 127 bytes when converting to ASN1 format. Fixed in #231

bellgrim added a commit that referenced this issue Sep 5, 2016
@bellgrim
Merge pull request #231 from bellgrim/issue205
4dea95c 
Issue #205: ECDSA P-521 support for OpenSSL and better test coverage.
@bellgrim bellgrim closed this as completed Sep 9, 2016
@Darkspirit Darkspirit mentioned this issue Sep 30, 2016
Closed
@matthauck
Copy link
Contributor

I think this still an issue in the import key logic in softhsm-util. Agreed that this is not the best practice workflow, but the code is there and should probably either be removed or fixed. Reopen this issue or open another one?

@bellgrim
Copy link
Contributor

bellgrim commented Nov 3, 2016
edited
Loading

The issue about ECDSA P-521 via PKCS#11 has been resolved.

Fixing ECDSA P-521 in softhsm2-util would be a new, but similar, issue. Could you create one?

My guess is that we have to fix this:
https://github.com/opendnssec/SoftHSMv2/blob/develop/src/bin/util/softhsm2-util-ossl.cpp#L657

@matthauck matthauck mentioned this issue Nov 3, 2016
Closed
@matthauck
Copy link
Contributor

Filed #262!

@bellgrim
Copy link
Contributor

bellgrim commented Nov 3, 2016

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bellgrim bellgrim

Labels
bug
Projects
None yet
Milestone
2.2.0
Development

No branches or pull requests
4 participants
@bellgrim @justinburke @matthauck @qbert2k