[gnutls-devel] GnuTLS | p11tool cannot generate ed25519 keys (#1309)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Dec 25 17:53:21 CET 2021

Chih-Hsuan Yen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1309

## Description of problem:

I'm testing PKCS#11 via SoftHSM, and I noticed p11tool failed to generate Ed25519 keys. Digging a little, it seems a GnuTLS issue instead of a SoftHSM one - apparently GnuTLS uses a wrong mechanism for generating Ed25519 keys? Specifically, GnuTLS uses `CKM_EDDSA` [1], while this mechanism is for sign/verify instead of key generation [2].

[1] https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/pkcs11_int.h#L295

[2] https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/csprd01/pkcs11-curr-v3.0-csprd01.pdf, table 33

## Version of gnutls used:

3.7.2, with SoftHSM 2.6.1

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Arch Linux

## How reproducible:

Steps to Reproduce:

$ softhsm2-util --init-token --free --label MyToken
$ p11tool --login --generate-privkey Ed25519 --label Ed25519 --outfile key.pem "pkcs11:model=SoftHSM%20v2;token=MyToken"  

## Actual results:

Generating an EdDSA (Ed25519) key...
Token 'MyToken' with URL 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6e5932b8da7f62f0;token=MyToken' requires user PIN
Enter PIN: 
Error in pkcs11_generate:1355: PKCS #11 unsupported feature

## Expected results:

Key generation succeeds

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1309
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20211225/107cd004/attachment.html>

More information about the Gnutls-devel mailing list