possible key types values #1928
Comments
|
PKCS11-v2.40 "2.3.3 ECDSA public key objects" says:" The CKA_EC_PARAMS or CKA_ECDSA_PARAMS attribute value is known as the “EC domain parameters” and is defined in ANSI X9.62 as a choice of three parameter representation methods with the following syntax" "This allows detailed specification of all required values using choice ecParameters, the use of a As far as I know, no smart cards supports ecParameters. And implicitlyCA must not be used. That leaves just namedCurve. PKCS11 does not list the available curves which are input not as a character string, but as a DER encoded OID of a nameCurve. There does not appear to be any PKCS11 command to list what curves are supported, other then to try and use one and see if the card will use it. (There are curves that have multiple names and thus the same OID, which OpenSC pkcs11-tool.c lists all the EC curve names known to be used by cards supported by OpenSC drivers. But since pkcs11-tool can call other PKCS11 modules, it should accept an OID in decimal form or HEX and convert to a DER encoded OID so it can be then added to WHat PKCS11 calls "template for creating an EC (ECDSA) public key object" as What you really need to do is look at the vendor documentation for your smart card to determine which curves are supported. |
|
Ok, my smartcard was just an example with something that I had at hand.
If there is an authoritative list somewhere else, it would be ok to provide a link to it. |
|
There is no one authoritative list. If you card could support "elliptic curve domain parameters" you could make up your own curve. (It would just not have an OID representation and may not be secure.) See: Domain_parameters Also see: where-can-i-find-a-canonical-list-of-elliptic-curve-names-and-their-aliases Anyone can get an OID for anything. PKCS11 is extensible. It does not specify any specific list. pkcs11-tool.c is not. It has a list of curves that should include all the curves supported by the OpenSC "opensc-pkcs11.so" module. As I said it should allow for the use of any curve if the user provides an OID and a It still comes down to what does the token you have support, what does the other end support, what do the applications or protocol support. OpenSSL, TLS, FireFox, OpenSSH, etc. Many of these use curve names. You are welcome to submit a PR for the Man pages or change the Wiki or submit a PR to allow pkcs11-tool.c to accept any OIDs even if not in the builtin list. |
|
I agree, that we could do much better in terms of documenting features and standard use cases. However, I fear that I don't have much time to do this, currently. Luckily, OpenSC is a community project and you're free to extend the wiki or the manual pages... |
|
(Btw, as Doug said, PKCS#11 won't help you here. If you want a command line tool that tells you all available parameters, you should extend |
Problem Description
I have a Nitrokey HSM and I wanted to generate an ECDSA key. By chance, pkcs11-tool's man page told me that I needed to write EC:something, with one example, prime256v1. I looked through all the man pages, and ended up looking at src/tools/pkcs11-tool.c where there is a list of possible values for something.
Proposed Resolution
It would be great if an exhaustive list of key types and their possible "size" was available in the man page, and maybe the wiki here, so that people whose job is not cryptography and do not know all those magical strings can have a starting point, because the list of supported mechanism that my key gives does not really help with it :(
Logs
The text was updated successfully, but these errors were encountered: