Thanks. The page that I mentioned does not say anything about openssl, which may lead one to believe that it is a softhsm issue. Your clarification on this would be much appreciated.
On Fri, Sep 24, 2021 at 6:52 AM Daniel Salzman <daniel.salz...@nic.cz> wrote: > I expect the algorithm support in SoftHSM depends on the version of the > cryptographic library (OpenSSL). We will try to update the documentation. > > Daniel > > On 24. 09. 21 14:39, Luveh Keraph wrote: > > Well, the contents of this page: > > > > > https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#compatible-pkcs-11-devices > < > https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#compatible-pkcs-11-devices > > > > > > say otherwise, and, when one tries to deal with either of the EdDSA > algorithms under knot 3.1 with softhsm, it does not work. > > > > > > On Fri, Sep 24, 2021 at 12:46 AM Daniel Salzman <daniel.salz...@nic.cz > <mailto:daniel.salz...@nic.cz>> wrote: > > > > Hi Luveh, > > > > I just found this command (executed on Fedora 34): > > > > # pkcs11-tool --modul /usr/lib64/pkcs11/libsofthsm2.so -M > > Using slot 0 with a present token (0x5069fb60) > > Supported mechanisms: > > AES-CBC, keySize={16,32}, encrypt, decrypt, wrap > > AES-CBC-ENCRYPT-DATA, derive > > AES-CBC-PAD, keySize={16,32}, encrypt, decrypt > > AES-CMAC, keySize={16,32}, sign, verify > > AES-CTR, keySize={16,32}, encrypt, decrypt > > AES-ECB, keySize={16,32}, encrypt, decrypt > > AES-ECB-ENCRYPT-DATA, derive > > AES-GCM, keySize={16,32}, encrypt, decrypt > > AES-KEY-GEN, keySize={16,32}, generate > > AES-KEY-WRAP, keySize={16,2147483648}, wrap, unwrap > > mechtype-0x210A, keySize={1,2147483648}, wrap, unwrap > > DES2-KEY-GEN, generate > > DES3-CBC, encrypt, decrypt, wrap > > DES3-CBC-ENCRYPT-DATA, derive > > DES3-CBC-PAD, encrypt, decrypt > > DES3-CMAC, sign, verify > > DES3-ECB, encrypt, decrypt > > DES3-ECB-ENCRYPT-DATA, derive > > DES3-KEY-GEN, generate > > DES-CBC, encrypt, decrypt, wrap > > DES-CBC-ENCRYPT-DATA, derive > > DES-CBC-PAD, encrypt, decrypt, wrap > > DES-ECB, encrypt, decrypt, wrap > > DES-ECB-ENCRYPT-DATA, derive > > DES-KEY-GEN, generate > > DH-PKCS-DERIVE, keySize={512,10000}, derive > > DH-PKCS-KEY-PAIR-GEN, keySize={512,10000}, generate_key_pair > > DH-PKCS-PARAMETER-GEN, keySize={512,10000}, generate > > DSA, keySize={512,1024}, sign, verify > > DSA-KEY-PAIR-GEN, keySize={512,1024}, generate_key_pair > > DSA-PARAMETER-GEN, keySize={512,1024}, generate > > DSA-SHA1, keySize={512,1024}, sign, verify > > DSA-SHA224, keySize={512,1024}, sign, verify > > DSA-SHA256, keySize={512,1024}, sign, verify > > DSA-SHA384, keySize={512,1024}, sign, verify > > DSA-SHA512, keySize={512,1024}, sign, verify > > ECDH1-DERIVE, keySize={112,521}, derive > > ECDSA, keySize={112,521}, sign, verify, EC F_P, EC OID, EC > uncompressed > > EC-EDWARDS-KEY-PAIR-GEN, keySize={256,456}, generate_key_pair > > ECDSA-KEY-PAIR-GEN, keySize={112,521}, generate_key_pair, EC > F_P, EC OID, EC uncompressed > > EDDSA, keySize={256,456}, sign, verify > > GENERIC-SECRET-KEY-GEN, keySize={1,2147483648}, generate > > MD5, digest > > MD5-HMAC, keySize={16,512}, sign, verify > > MD5-RSA-PKCS, keySize={512,16384}, sign, verify > > RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, > wrap, unwrap > > RSA-PKCS-KEY-PAIR-GEN, keySize={512,16384}, generate_key_pair > > RSA-PKCS-OAEP, keySize={512,16384}, encrypt, decrypt, wrap, > unwrap > > RSA-PKCS-PSS, keySize={512,16384}, sign, verify > > RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify > > SHA1-RSA-PKCS, keySize={512,16384}, sign, verify > > SHA1-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > > SHA224, digest > > SHA224-HMAC, keySize={28,512}, sign, verify > > SHA224-RSA-PKCS, keySize={512,16384}, sign, verify > > SHA224-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > > SHA256, digest > > SHA256-HMAC, keySize={32,512}, sign, verify > > SHA256-RSA-PKCS, keySize={512,16384}, sign, verify > > SHA256-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > > SHA384, digest > > SHA384-HMAC, keySize={48,512}, sign, verify > > SHA384-RSA-PKCS, keySize={512,16384}, sign, verify > > SHA384-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > > SHA512, digest > > SHA512-HMAC, keySize={64,512}, sign, verify > > SHA512-RSA-PKCS, keySize={512,16384}, sign, verify > > SHA512-RSA-PKCS-PSS, keySize={512,16384}, sign, verify > > SHA-1, digest > > SHA-1-HMAC, keySize={20,512}, sign, verify > > > > So it seems EdDSA is supported. > > > > Daniel > > > > On 24. 09. 21 2:12, Luveh Keraph wrote: > > > I notice that knot 3.1 does not support EdDSA (22519 and 448) > when using softhsm as a PKCS #11 backend. Since this is supported by knot > when using the default cryptographic provider, and also by gnutls 3.6.0 (at > least for the 25519 version) for release 3.6.0 and later, my guess is that > this a limitation in softhsm itself. Could anybody in this forum with the > necessary savvy please confirm (or not) this? > > > > > > > > >
-- https://lists.nic.cz/mailman/listinfo/knot-dns-users
