Krishna Yenduri wrote: > Mark, > > This looks good. I have a couple of comments below ... > >> 2. Project Summary >> 2.1. Project Description: >> This project will add Elliptic-Curve Cryptography (ECC) to the >> Solaris Encryption Framework. ECC will be available to kernel >> and user-level consumers. >> > > One potential kernel consumer is kernel SSL since TLS can use ECC cipher > suites.
Didn't think of that one. > >> 3.6. How will you know when you are done?: >> When we can use pkcs11 on Apache for ECC. >> > > Does this mean this project will modify OpenSSL PKCS #11 engine to > add the support for ECC mechanisms? You might want to test with Sun Java > System web server too. Perhaps I'm naive, but I thought by offering ECC mechanisms in libpkcs11 and telling the webserver to use pkcs11, that everything would work. > >> 4. Technical Description: >> 4.1. Details: >> The Solaris Crypto Framework has loadable software modules that >> provides cryptographic algorithms for kernel consumers. These offer >> algorithms such as AES and RSA. The framework also has a softtoken >> library that implements algorithms for user-level consumers. This >> project introduces a new module offering ECC. It also adds ECC to >> the softtoken library. >> >> The low-level implemention of ECC that we will use was originally >> developed by Sun Labs and subsequently given to NSS. Legal approval >> to use this code under Mozilla Public License v. 1.1 has been >> obtained. >> >> Supported PKCS#11 mechanisms are: CKM_EC_KEY_PAIR_GEN, CKM_ECDSA, >> CKM_ECDSA_SHA1, and CKM_ECDH1_DERIVE. > > I assume this list is for the softtoken library. What mechanisms will > the kernel > ecc software provider support? Same mechanisms and curves as in the softtoken library. > > Thanks, > -Krishna > > >> NSS implements 51 ECC curves, >> all of which will be supported. They are: >> >> secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, >> secp160r1, >> secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, >> secp384r1, >> secp521r1, sect113r1, sect113r2, sect131r1, sect131r2, >> sect163k1, >> sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, >> sect233r1, >> sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, >> sect571k1, >> sect571r1, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, >> c2tnb191v1, >> c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, >> c2tnb239v3, >> c2pnb272w1, c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, >> prime192v1, >> prime192v2, prime192v3, prime256v1 >> >> 4.2. Bug/RFE Number(s): >> 5066901 Offer the PKCS#11 Elliptic Curve based mechanisms in Solaris >> 6562402 kernel software provider for Elliptic Curve mechanisms >> 4.3. In Scope: >> >> 4.4. Out of Scope: >> 4.5. Interfaces: >> Changes to softtoken will not affect the interface to softtoken. >> The only visible change will be four new PKCS#11 mechanisms that >> are visible when the capabilities of the softtoken are queried. >> The loadable module will introduce the following: >> /kernel/crypto/ecc >> /kernel/crypto/amd64/ecc >> /kernel/crypto/sparcv9/ecc >> >> >
