On Fri, Sep 24, 2021 at 7:27 AM Daniel Salzman <daniel.salzman@nic.cz> wrote:

Luveh,

Have you tried to execute the pkcs11-tool command? What is your OS (version)? For example, EdDSA isn't available on Ubuntu 20.04.

Daniel

On 24. 09. 21 15:16, Luveh Keraph wrote:
> Thanks. The page that I mentioned does not say anything about openssl, which may lead one to believe that it is a softhsm issue. Your clarification on this would be much appreciated.
>
> On Fri, Sep 24, 2021 at 6:52 AM Daniel Salzman <daniel.salzman@nic.cz <mailto:daniel.salzman@nic.cz>> wrote:
>
> I expect the algorithm support in SoftHSM depends on the version of the cryptographic library (OpenSSL). We will try to update the documentation.
>
> Daniel
>
> On 24. 09. 21 14:39, Luveh Keraph wrote:
> > Well, the contents of this page:
> >
> > https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#compatible-pkcs-11-devices <https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#compatible-pkcs-11-devices> <https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#compatible-pkcs-11-devices <https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#compatible-pkcs-11-devices>>
> >
> > say otherwise, and, when one tries to deal with either of the EdDSA algorithms under knot 3.1 with softhsm, it does not work.
> >
> >
> > On Fri, Sep 24, 2021 at 12:46 AM Daniel Salzman <daniel.salzman@nic.cz <mailto:daniel.salzman@nic.cz> <mailto:daniel.salzman@nic.cz <mailto:daniel.salzman@nic.cz>>> wrote:
> >
> > Hi Luveh,
> >
> > I just found this command (executed on Fedora 34):
> >
> > # pkcs11-tool --modul /usr/lib64/pkcs11/libsofthsm2.so -M
> > Using slot 0 with a present token (0x5069fb60)
> > Supported mechanisms:
> > AES-CBC, keySize={16,32}, encrypt, decrypt, wrap
> > AES-CBC-ENCRYPT-DATA, derive
> > AES-CBC-PAD, keySize={16,32}, encrypt, decrypt
> > AES-CMAC, keySize={16,32}, sign, verify
> > AES-CTR, keySize={16,32}, encrypt, decrypt
> > AES-ECB, keySize={16,32}, encrypt, decrypt
> > AES-ECB-ENCRYPT-DATA, derive
> > AES-GCM, keySize={16,32}, encrypt, decrypt
> > AES-KEY-GEN, keySize={16,32}, generate
> > AES-KEY-WRAP, keySize={16,2147483648}, wrap, unwrap
> > mechtype-0x210A, keySize={1,2147483648}, wrap, unwrap
> > DES2-KEY-GEN, generate
> > DES3-CBC, encrypt, decrypt, wrap
> > DES3-CBC-ENCRYPT-DATA, derive
> > DES3-CBC-PAD, encrypt, decrypt
> > DES3-CMAC, sign, verify
> > DES3-ECB, encrypt, decrypt
> > DES3-ECB-ENCRYPT-DATA, derive
> > DES3-KEY-GEN, generate
> > DES-CBC, encrypt, decrypt, wrap
> > DES-CBC-ENCRYPT-DATA, derive
> > DES-CBC-PAD, encrypt, decrypt, wrap
> > DES-ECB, encrypt, decrypt, wrap
> > DES-ECB-ENCRYPT-DATA, derive
> > DES-KEY-GEN, generate
> > DH-PKCS-DERIVE, keySize={512,10000}, derive
> > DH-PKCS-KEY-PAIR-GEN, keySize={512,10000}, generate_key_pair
> > DH-PKCS-PARAMETER-GEN, keySize={512,10000}, generate
> > DSA, keySize={512,1024}, sign, verify
> > DSA-KEY-PAIR-GEN, keySize={512,1024}, generate_key_pair
> > DSA-PARAMETER-GEN, keySize={512,1024}, generate
> > DSA-SHA1, keySize={512,1024}, sign, verify
> > DSA-SHA224, keySize={512,1024}, sign, verify
> > DSA-SHA256, keySize={512,1024}, sign, verify
> > DSA-SHA384, keySize={512,1024}, sign, verify
> > DSA-SHA512, keySize={512,1024}, sign, verify
> > ECDH1-DERIVE, keySize={112,521}, derive
> > ECDSA, keySize={112,521}, sign, verify, EC F_P, EC OID, EC uncompressed
> > EC-EDWARDS-KEY-PAIR-GEN, keySize={256,456}, generate_key_pair
> > ECDSA-KEY-PAIR-GEN, keySize={112,521}, generate_key_pair, EC F_P, EC OID, EC uncompressed
> > EDDSA, keySize={256,456}, sign, verify
> > GENERIC-SECRET-KEY-GEN, keySize={1,2147483648}, generate
> > MD5, digest
> > MD5-HMAC, keySize={16,512}, sign, verify
> > MD5-RSA-PKCS, keySize={512,16384}, sign, verify
> > RSA-PKCS, keySize={512,16384}, encrypt, decrypt, sign, verify, wrap, unwrap
> > RSA-PKCS-KEY-PAIR-GEN, keySize={512,16384}, generate_key_pair
> > RSA-PKCS-OAEP, keySize={512,16384}, encrypt, decrypt, wrap, unwrap
> > RSA-PKCS-PSS, keySize={512,16384}, sign, verify
> > RSA-X-509, keySize={512,16384}, encrypt, decrypt, sign, verify
> > SHA1-RSA-PKCS, keySize={512,16384}, sign, verify
> > SHA1-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
> > SHA224, digest
> > SHA224-HMAC, keySize={28,512}, sign, verify
> > SHA224-RSA-PKCS, keySize={512,16384}, sign, verify
> > SHA224-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
> > SHA256, digest
> > SHA256-HMAC, keySize={32,512}, sign, verify
> > SHA256-RSA-PKCS, keySize={512,16384}, sign, verify
> > SHA256-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
> > SHA384, digest
> > SHA384-HMAC, keySize={48,512}, sign, verify
> > SHA384-RSA-PKCS, keySize={512,16384}, sign, verify
> > SHA384-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
> > SHA512, digest
> > SHA512-HMAC, keySize={64,512}, sign, verify
> > SHA512-RSA-PKCS, keySize={512,16384}, sign, verify
> > SHA512-RSA-PKCS-PSS, keySize={512,16384}, sign, verify
> > SHA-1, digest
> > SHA-1-HMAC, keySize={20,512}, sign, verify
> >
> > So it seems EdDSA is supported.
> >
> > Daniel
> >
> > On 24. 09. 21 2:12, Luveh Keraph wrote:
> > > I notice that knot 3.1 does not support EdDSA (22519 and 448) when using softhsm as a PKCS #11 backend. Since this is supported by knot when using the default cryptographic provider, and also by gnutls 3.6.0 (at least for the 25519 version) for release 3.6.0 and later, my guess is that this a limitation in softhsm itself. Could anybody in this forum with the necessary savvy please confirm (or not) this?
> > >
> > >
> >
>