Hey,pkcs11-tool? This is something similar that Yubikeys have quite nicely documented here , but they only support RSA and some ECC keys but not Ed25519 keys which is what we’d like to use for our use case. Is there a plan to support ed25519 keys anytime in the near future?
I know that for example SoftHSM2 which is an emulation software for security keys already supports ed25519 when it’s compiled from the source with the configuration flags
./configure --with-openssl=/usr/lib/ssl --enable-eddsa=yes
Also the pkcs11-tool itself supports --key-type EC:ed25519, but only with such a security key in place that supports the Ed25519 algorithm.
The command which I’d like to use would be:
pkcs11-tool --module /path/to/lib-hsm.so --login --login-type so --keypairgen --id 0 --key-type EC:ed25519 --usage-sign --allowed-mechanisms 0x1057
saper
February 22, 2023, 6:43pm
2
Hey, you might want to check the following out:
The SmartCard-HSM relies on the CC-certified crypto library of the SmartMX2 security controller and that does not support ed25519. Unfortunately NXP has no plans to add support in that library, so we are unable to support that in our code either.
There is also little demand from the markets for which this chip is produced (large scale card deployments like banking, government, health), so I’m not optimistic that the situation will change.
Additionally, there is no real benefit of those curves …
zapper
February 23, 2023, 3:38am
3
Is this the same problem for the nitrokey Storage version?
If it is, are there better alternatives out there that might be implemented, with less weaknesses?
Just wondering.
Or as many.
From what I recall, curve25519 is one of the better ones still. Though its unknown for how much longer this will be true.
At least I think it is true? The answers to the contrary haven’t sounded clear cut to me, but maybe?
meh…
saper
February 23, 2023, 9:02am
4
The answer pertains only to Nitrokey HSM.
zapper
April 19, 2023, 7:48pm
5
So nitrokey storage doesn’t have this problem? Or is it like N/A in its entirety?
