Ed25519 support with pkcs11-tool

Do you have plans to support signing data with ed25519 keys using the pkcs11-tool? This is something similar that Yubikeys have quite nicely documented here, but they only support RSA and some ECC keys but not Ed25519 keys which is what we’d like to use for our use case. Is there a plan to support ed25519 keys anytime in the near future?

I know that for example SoftHSM2 which is an emulation software for security keys already supports ed25519 when it’s compiled from the source with the configuration flags

./configure --with-openssl=/usr/lib/ssl --enable-eddsa=yes

Also the pkcs11-tool itself supports --key-type EC:ed25519, but only with such a security key in place that supports the Ed25519 algorithm.

The command which I’d like to use would be:

pkcs11-tool --module /path/to/lib-hsm.so --login --login-type so --keypairgen --id 0 --key-type EC:ed25519 --usage-sign --allowed-mechanisms 0x1057

Hey, you might want to check the following out:

Is this the same problem for the nitrokey Storage version?

If it is, are there better alternatives out there that might be implemented, with less weaknesses?

Just wondering.

Or as many.

From what I recall, curve25519 is one of the better ones still. Though its unknown for how much longer this will be true.

At least I think it is true? The answers to the contrary haven’t sounded clear cut to me, but maybe?


The answer pertains only to Nitrokey HSM.

So nitrokey storage doesn’t have this problem? Or is it like N/A in its entirety?