PKCS#11 and ed25519 curve support?

stinkiephish · November 25, 2022, 11:18am

Hello,

I have a use case that requires programatic access via PKCS#11 (or could use a native library) for signing binary data using an ed25519 key. I am curious if this is possible with the Nitrokey 3A Mini (or another Nitrokey device). (Such support has been almost impossible to find on any device.)

ed25519 isn’t supported by the PKCS#11 standard until version 3.0, which was published in 2020. I’ve seen other products support the algorithm but base their PKCS#11 driver on version 2.4. So even though I see that it is listed that the Nitrokey 3A Mini supports the ed25519 algorithm, it doesn’t necessarily mean that it can be used in all the interfaces (Microsoft CSP, OpenPGP, S/MIME, X.509, PKCS#11, OpenSC, FIDO2, FIDO U2F).

daringer · November 29, 2022, 10:15am

Hey @stinkiephish

generally we have ed25519 (the crypto-primitive) support on the Nitrokey 3s. As of now it is only used for U2F/FIDO2 on server request and for ssh-keygen, if one selects the proper algorithm/mechanism.

OpenPGP Card support is available in Alpha and we are also currently working on enabling ed25519 for OpenSC, which would give you a PKCS#11 interface to this algorithm, the next Alpha release will likely include this. Please keep in mind that this is a Alpha firmware and not (yet) recommended to be used in production environments.

best