Well, the contents of this page: https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#compatible-pkcs-11-devices
say otherwise, and, when one tries to deal with either of the EdDSA algorithms under knot 3.1 with softhsm, it does not work. On Fri, Sep 24, 2021 at 12:46 AM Daniel Salzman <[email protected]> wrote: > Hi Luveh, > > I just found this command (executed on Fedora 34): > > # pkcs11-tool --modul /usr/lib64/pkcs11/libsofthsm2.so -M > Using slot 0 with a present token (0x5069fb60) > Supported mechanisms: > AES-CBC, keySize={16,32}, encrypt, decrypt, wrap > AES-CBC-ENCRYPT-DATA, derive > AES-CBC-PAD, keySize={16,32}, encrypt, decrypt > AES-CMAC, keySize={16,32}, sign, verify > AES-CTR, keySize={16,32}, encrypt, decrypt > AES-ECB, keySize={16,32}, encrypt, decrypt > AES-ECB-ENCRYPT-DATA, derive > AES-GCM, keySize={16,32}, encrypt, decrypt > AES-KEY-GEN, keySize={16,32}, generate > AES-KEY-WRAP, keySize={16,2147483648}, wrap, unwrap > mechtype-0x210A, keySize={1,2147483648}, wrap, unwrap > DES2-KEY-GEN, generate > DES3-CBC, encrypt, decrypt, wrap > DES3-CBC-ENCRYPT-DATA, derive > DES3-CBC-PAD, encrypt, decrypt > DES3-CMAC, sign, verify > DES3-ECB, encrypt, decrypt > DES3-ECB-ENCRYPT-DATA, derive > DES3-KEY-GEN, generate > DES-CBC, encrypt, decrypt, wrap > DES-CBC-ENCRYPT-DATA, derive > DES-CBC-PAD, encrypt, decrypt, wrap > DES-ECB, encrypt, decrypt, wrap > DES-ECB-ENCRYPT-DATA, derive > DES-KEY-GEN, generate > DH-PKCS-DERIVE, keySize={512,10000}, derive > DH-PKCS-KEY-PAIR-GEN, keySize={512,10000}, generate_key_pair > DH-PKCS-PARAMETER-GEN, keySize={512,10000}, generate > DSA, keySize={512,1024}, sign, verify > DSA-KEY-PAIR-GEN, keySize={512,1024}, generate_key_pair > DSA-PARAMETER-GEN, keySize={512,1024}, generate > DSA-SHA1, keySize={512,1024}, sign, verify > DSA-SHA224, keySize={512,1024}, sign, verify > DSA-SHA256, keySize={512,1024}, sign, verify > DSA-SHA384, keySize={512,1024}, sign, verify > DSA-SHA512, keySize={512,1024}, sign, verify > ECDH1-DERIVE, keySize={112,521}, derive > ECDSA, keySize={112,521}, sign, verify, EC F_P, EC OID, EC uncompressed > EC-EDWARDS-KEY-PAIR-GEN, keySize={256,456}, generate_key_pair > ECDSA-KEY-PAIR-GEN, keySize={112,521}, generate_key_pair, EC F_P, EC > OID, EC uncompressed > EDDSA, keySize={256,456}, sign, verify > GENERIC-SECRET-KEY-GEN, keySize={1,2147483648}, generate > MD5, digest > MD5-HMAC, keySize={16,512}, sign, verify > MD5-RSA-PKCS, keySize={512,16384}, sign, verify > RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, > unwrap > RSA-PKCS-KEY-PAIR-GEN, keySize={512,16384}, generate_key_pair > RSA-PKCS-OAEP, keySize={512,16384}, encrypt, decrypt, wrap, unwrap > RSA-PKCS-PSS, keySize={512,16384}, sign, verify > RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify > SHA1-RSA-PKCS, keySize={512,16384}, sign, verify > SHA1-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > SHA224, digest > SHA224-HMAC, keySize={28,512}, sign, verify > SHA224-RSA-PKCS, keySize={512,16384}, sign, verify > SHA224-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > SHA256, digest > SHA256-HMAC, keySize={32,512}, sign, verify > SHA256-RSA-PKCS, keySize={512,16384}, sign, verify > SHA256-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > SHA384, digest > SHA384-HMAC, keySize={48,512}, sign, verify > SHA384-RSA-PKCS, keySize={512,16384}, sign, verify > SHA384-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > SHA512, digest > SHA512-HMAC, keySize={64,512}, sign, verify > SHA512-RSA-PKCS, keySize={512,16384}, sign, verify > SHA512-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > SHA-1, digest > SHA-1-HMAC, keySize={20,512}, sign, verify > > So it seems EdDSA is supported. > > Daniel > > On 24. 09. 21 2:12, Luveh Keraph wrote: > > I notice that knot 3.1 does not support EdDSA (22519 and 448) when using > softhsm as a PKCS #11 backend. Since this is supported by knot when using > the default cryptographic provider, and also by gnutls 3.6.0 (at least for > the 25519 version) for release 3.6.0 and later, my guess is that this a > limitation in softhsm itself. Could anybody in this forum with the > necessary savvy please confirm (or not) this? > > > > >
-- https://lists.nic.cz/mailman/listinfo/knot-dns-users
