Hi,
I contact you about the merge request https://github.com/OP-TEE/optee_os/pull/5166 that is mandatory to be able to use ECC private key imported in PKCS11 TA and not generate by the TA.
Currently the status is Attribute on generated ECC private key are - EC_PARAMS - VALUE - EC_POINT => This object can be use for crypto operation
Attribute on imported ECC private key are - EC_PARAMS - VALUE => PKCS11 TA can not use it because TA expect EC_POINTS attributes on ECC Private key.
Could you accept the merge request and have a coherence between generated and imported object even if for the moment it's doesn't respect PKCS11 standard ?
Two options for the next step. - check with PKCS11 editors to upgrade the spec and have a same behavior between RSA Private object and ECC Private object. - rework the code of the TA for ECC to link Private and public object but that mean that ECC Private and Public object must be present in the same slot to be able to perform crypto operation.
Best regards,
Cédric Dourlent,
Hi Cedric,
On Mon, Jun 19, 2023 at 3:50 PM dourlent cédric cedric.dourlent@gmail.com wrote:
Hi,
I contact you about the merge request https://github.com/OP-TEE/optee_os/pull/5166 that is mandatory to be able to use ECC private key imported in PKCS11 TA and not generate by the TA.
Currently the status is Attribute on generated ECC private key are
- EC_PARAMS
- VALUE
- EC_POINT
=> This object can be use for crypto operation
Attribute on imported ECC private key are
- EC_PARAMS
- VALUE
=> PKCS11 TA can not use it because TA expect EC_POINTS attributes on ECC Private key.
Could you accept the merge request and have a coherence between generated and imported object even if for the moment it's doesn't respect PKCS11 standard ?
Two options for the next step.
- check with PKCS11 editors to upgrade the spec and have a same behavior
between RSA Private object and ECC Private object.
- rework the code of the TA for ECC to link Private and public object but
that mean that ECC Private and Public object must be present in the same slot to be able to perform crypto operation.
I think it's easier to keep this discussion in the pull request you mentioned above, or there's a risk that others might miss that it has moved elsewhere.
Thanks, Jens
Best regards,
Cédric Dourlent,
On 6/19/23 16:08, Jens Wiklander wrote:
Hi Cedric,
On Mon, Jun 19, 2023 at 3:50 PM dourlent cédric cedric.dourlent@gmail.com wrote:
Hi,
I contact you about the merge request https://github.com/OP-TEE/optee_os/pull/5166 that is mandatory to be able to use ECC private key imported in PKCS11 TA and not generate by the TA.
Currently the status is Attribute on generated ECC private key are
- EC_PARAMS
- VALUE
- EC_POINT
=> This object can be use for crypto operation
Attribute on imported ECC private key are
- EC_PARAMS
- VALUE
=> PKCS11 TA can not use it because TA expect EC_POINTS attributes on ECC Private key.
Could you accept the merge request and have a coherence between generated and imported object even if for the moment it's doesn't respect PKCS11 standard ?
Two options for the next step.
- check with PKCS11 editors to upgrade the spec and have a same behavior
between RSA Private object and ECC Private object.
- rework the code of the TA for ECC to link Private and public object but
that mean that ECC Private and Public object must be present in the same slot to be able to perform crypto operation.
I think it's easier to keep this discussion in the pull request you mentioned above, or there's a risk that others might miss that it has moved elsewhere.
I have re-opened the PR, in case it was the reason for not continuing there (admins can add comments to closed PRs, but I suppose non-admins cannot).
Thanks,
op-tee@lists.trustedfirmware.org
-
dourlent cédric -
Jens Wiklander -
Jerome Forissier