Skip to content

Add support for loading Ed25519 keys from PKCS#11 and using them

Jakub Jelen requested to merge jjelen/gnutls:eddsa-pkcs11 into master

Fixes #946 (closed)

I will have to look into testing this later if needed. So far tested manually in OpenSC, that I am able to load EdDSA Key into gnutls and use them to create self-signed certificate:

Key pair generated:
Private Key Object; EC_EDWARDS
  label:      EDDSA
  ID:         05
  Usage:      decrypt, sign, unwrap, derive
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC_EDWARDS  EC_POINT 255 bits
  EC_POINT:   0420aa0e50140a7f0c88f0cbcfb97a82f50814c22968f9547da18756a513b95ffbc6
  EC_PARAMS:  130c656477617264733235353139
  label:      EDDSA
  ID:         05
  Usage:      encrypt, verify, wrap, derive
  Access:     local
Generating a self signed certificate...
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 52200fa099f0b6dc47e0ac7edebedb27f3e9f871
	Validity:
		Not Before: Fri Feb 28 15:16:17 UTC 2020
		Not After: Sat Feb 27 15:16:17 UTC 2021
	Subject: O=OpenSC
	Subject Public Key Algorithm: EdDSA (Ed25519)
	Algorithm Security Level: High (256 bits)
		Curve:	Ed25519
		X:
			aa:0e:50:14:0a:7f:0c:88:f0:cb:cf:b9:7a:82:f5:08
			14:c2:29:68:f9:54:7d:a1:87:56:a5:13:b9:5f:fb:c6
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Subject Alternative Name (not critical):
			RFC822Name: none@example.org
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			09322de3f242ea5066c96ae46c1b27104ac453be
Other Information:
	Public Key ID:
		sha1:09322de3f242ea5066c96ae46c1b27104ac453be
		sha256:60bfb7e740ca4cd3ca05fae5a6bdc2a6be51d635e998e9a8bf9f31ea70356f1a
	Public Key PIN:
		pin-sha256:YL+350DKTNPKBfrlpr3Cpr5R1jXpmOmov58x6nA1bxo=



Signing certificate...
Using slot 0 with a present token (0x1b840330)
Created certificate:
Certificate Object; type = X.509 cert
  label:      EDDSA
  subject:    DN: O=OpenSC
  ID:         05

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • Code modified for feature
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated / NEWS entry present (for non-trivial changes)
  • CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code

Merge request reports