Douglas E Engert
2015-Oct-08 13:00 UTC
[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
On 10/8/2015 4:49 AM, Simon Josefsson wrote:> Mathias Brossard <mathias at brossard.org> writes: > >> Hi, >> >> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 >> support of ssh-agent which will be of interest to other users. > > Nice! What would it take to add support for Ed25519 too? Do we need to > allocate any new PKCS#11 identifiers?Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using these can get out of hand. Best to try and get them in the standard. OASIS controls the standard From 14 April 2015: http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html 2.40 does not define Ed25519.> The Gnuk smartcard supports > Ed25519 but I don't know if it is common to use it with OpenSSH through > PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's > gpg-agent). At least it might be useful as a test case. > > /Simon > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Douglas E. Engert <DEEngert at gmail.com>
Thomas Calderon
2015-Oct-08 13:36 UTC
[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
Hi, There is no need to add new mechanism identifiers to use specific curves. This can be done already using the CKM_ECDSA mechanism parameters (see CKA_ECDSA_PARAMS in the standard). Given that the underlying HW or SW tokens supports Ed25519 curves, then you could leverage it even with version 2.20 of the PKCS#11 standard. Cheers, Thomas On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert at gmail.com> wrote:> > > On 10/8/2015 4:49 AM, Simon Josefsson wrote: > >> Mathias Brossard <mathias at brossard.org> writes: >> >> Hi, >>> >>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 >>> support of ssh-agent which will be of interest to other users. >>> >> >> Nice! What would it take to add support for Ed25519 too? Do we need to >> allocate any new PKCS#11 identifiers? >> > > Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using these > can > get out of hand. Best to try and get them in the standard. OASIS controls > the > standard From 14 April 2015: > > > http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html > > 2.40 does not define Ed25519. > > The Gnuk smartcard supports >> Ed25519 but I don't know if it is common to use it with OpenSSH through >> PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's >> gpg-agent). At least it might be useful as a test case. >> >> /Simon >> >> >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> > -- > > Douglas E. Engert <DEEngert at gmail.com> > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Simon Josefsson
2015-Oct-08 14:17 UTC
[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
Thomas Calderon <calderon.thomas at gmail.com> writes:> Hi, > > There is no need to add new mechanism identifiers to use specific curves. > > This can be done already using the CKM_ECDSA mechanism parameters (see > CKA_ECDSA_PARAMS > in the standard). > Given that the underlying HW or SW tokens supports Ed25519 curves, then you > could leverage it even with version 2.20 of the PKCS#11 standard.I think you need an OID to put in the namedCurve field of EC Parameters structure, right? The structure is: Parameters:: = CHOICE { ecParametersECParameters, namedCurveCURVES. & id( { CurveNames}), implicitlyCANULL} The ecParametersECParameters approach doesn't work, I believe, for EdDSA, but a namedCurve would probably do. But what OID to use? I'm happy to reserve 1.3.6.1.4.1.11591.9 to mean a namedCurve value for Ed25519 in PKCS#11. I'm not sure this approach works out -- but let's try. /Simon> Cheers, > > Thomas > > On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert at gmail.com> wrote: > >> >> >> On 10/8/2015 4:49 AM, Simon Josefsson wrote: >> >>> Mathias Brossard <mathias at brossard.org> writes: >>> >>> Hi, >>>> >>>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 >>>> support of ssh-agent which will be of interest to other users. >>>> >>> >>> Nice! What would it take to add support for Ed25519 too? Do we need to >>> allocate any new PKCS#11 identifiers? >>> >> >> Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using these >> can >> get out of hand. Best to try and get them in the standard. OASIS controls >> the >> standard From 14 April 2015: >> >> >> http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html >> >> 2.40 does not define Ed25519. >> >> The Gnuk smartcard supports >>> Ed25519 but I don't know if it is common to use it with OpenSSH through >>> PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's >>> gpg-agent). At least it might be useful as a test case. >>> >>> /Simon >>> >>> >>> >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>> >>> >> -- >> >> Douglas E. Engert <DEEngert at gmail.com> >> >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 472 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151008/b0dc0f82/attachment.bin>
Apparently Analagous Threads
- [PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
- [PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
- Cluster analysis
- [Bug 2474] New: Enabling ECDSA in PKCS#11 support for ssh-agent
- request of information about creating DLL from R to be used in other languages/programs