Ed25519 support with pkcs11-tool

sonkkeli · February 21, 2023, 3:36pm

Hey,
Do you have plans to support signing data with ed25519 keys using the pkcs11-tool? This is something similar that Yubikeys have quite nicely documented here, but they only support RSA and some ECC keys but not Ed25519 keys which is what we’d like to use for our use case. Is there a plan to support ed25519 keys anytime in the near future?

I know that for example SoftHSM2 which is an emulation software for security keys already supports ed25519 when it’s compiled from the source with the configuration flags

./configure --with-openssl=/usr/lib/ssl --enable-eddsa=yes

Also the pkcs11-tool itself supports --key-type EC:ed25519, but only with such a security key in place that supports the Ed25519 algorithm.

The command which I’d like to use would be:

pkcs11-tool --module /path/to/lib-hsm.so --login --login-type so --keypairgen --id 0 --key-type EC:ed25519 --usage-sign --allowed-mechanisms 0x1057

saper · February 22, 2023, 6:43pm

Hey, you might want to check the following out:

zapper · February 23, 2023, 3:38am

Is this the same problem for the nitrokey Storage version?

If it is, are there better alternatives out there that might be implemented, with less weaknesses?

Just wondering.

Or as many.

From what I recall, curve25519 is one of the better ones still. Though its unknown for how much longer this will be true.

At least I think it is true? The answers to the contrary haven’t sounded clear cut to me, but maybe?

meh…

saper · February 23, 2023, 9:02am

The answer pertains only to Nitrokey HSM.