I would like to C_DeriveKey support to OpenSC, to the derivation capabilities of a smartcard. Although RSA can do key derivation, I am interested in CKM_ECDH1_COFACTOR_DERIVE which is supported in the newer PIV cards. (There is also some EDDH support in NSS to use with Thunderbird for encrypted mail.)
EC can only do encryption using key derivation, so to use card with EC keys will require a minimal implementation of C_DervieKey. The output of C_DeriveKey is a key object. This looks like a PKCS#11public session object with: CK_EXTRACTABLE = TRUE CK_LOCAL = FALSE CK_VALUE = the derived key CK_KEY_TYPE = CKK_GENERIC_SECRET The only operation done on the session key is to extract the CK_VALUE so there are no mechanisums. For the PIV card, only CKM_ECDH1_COFACTOR_DERIVE is supported, and it it can only do C_DeriveKey with struct CK_ECDH1_DERIVE_PARAMS with CK_EC_KDF_TYPE = CK_NULL; ulSharedDataLen = 0; pSharedData = NULL; So to add this will require the ability to return a session key object and to delete or clean it up after after the session is closed. At one time did OpenSC have any KDF code? If so did it have any PKCS#11 session key object code? -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel