[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] Groups - Draft outline and conformance section for PKCS #11 V2.40 Base Specification uploaded
I'll add the topic to today's agenda. Regards, Bob ----- Original Message ----- From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz] Sent: Tuesday, March 19, 2013 10:57 PM To: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org>; Griffin, Robert Subject: Re: [pkcs11] Groups - Draft outline and conformance section for PKCS #11 V2.40 Base Specification uploaded Another issue I'd like to raise (which didn't come up during the previous meeting, but some of it does fall under the buggy-implementation area) is that ECC handling is a mess. From the wiki: The way ECC support is currently handled is awful. First, applications need to check a whole slew of CKF_EC_xxx flags to check whether the general type of curve that they want is supported. After that it's basically guesswork, if you want to use (say) the near-universal NIST P256 then after checking all the flags to see whether named Fp curves are supported the only way to tell whether you can actually do P256 is to encode an ASN.1 OID for that curve (!!!), set it as CKA_EC_PARAMS for an object, and then see whether you can perform an operation with the resulting object. As far as I can see the only way to use this is to hope that the more common curves are supported and fail if not. This area needs a serious cleanup. There should be some means of querying whether standard curves are supported that only requires querying a CKC_xxx ('C' = curve) value, i.e. "is CKC_NIST_P256 supported?") without having to check assorted flags and then performing probing to see whether you can actually use that curve. To give an example of what things are like for users, I'm currently using an ECC implementation that claims to do signatures but not signature verification (so I kind of have to take it on faith that if I see a signing key and associated cert, that the cert is actually valid), claims not to do NIST named curves (via the CKF_EC_xxx flags) but comes with sample code that uses them, and returns the catch-all template-inconsistent if I try and use the template given in the PKCS #11 spec. (As an aside, if anyone has a PKCS #11 ECC implementation that actually works and runs under Windows, I'd like to be able to play with it in order to build some test code to exercise PKCS #11 ECC functionality). Peter.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]