[gnutls-devel] GnuTLS | p11tool cannot generate ed25519 keys (#1309)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Sat Dec 25 17:53:21 CET 2021
Chih-Hsuan Yen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1309
## Description of problem:
I'm testing PKCS#11 via SoftHSM, and I noticed p11tool failed to generate Ed25519 keys. Digging a little, it seems a GnuTLS issue instead of a SoftHSM one - apparently GnuTLS uses a wrong mechanism for generating Ed25519 keys? Specifically, GnuTLS uses `CKM_EDDSA` [1], while this mechanism is for sign/verify instead of key generation [2].
[1] https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/pkcs11_int.h#L295
[2] https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/csprd01/pkcs11-curr-v3.0-csprd01.pdf, table 33
## Version of gnutls used:
3.7.2, with SoftHSM 2.6.1
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Arch Linux
## How reproducible:
Steps to Reproduce:
```
$ softhsm2-util --init-token --free --label MyToken
$ p11tool --login --generate-privkey Ed25519 --label Ed25519 --outfile key.pem "pkcs11:model=SoftHSM%20v2;token=MyToken"
```
## Actual results:
```
Generating an EdDSA (Ed25519) key...
Token 'MyToken' with URL 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6e5932b8da7f62f0;token=MyToken' requires user PIN
Enter PIN:
Error in pkcs11_generate:1355: PKCS #11 unsupported feature
```
## Expected results:
Key generation succeeds
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1309
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20211225/107cd004/attachment.html>
More information about the Gnutls-devel
mailing list