Join Log in
Score:1
sander avatar Crypto

In PKCS#11, can I set a custom base point for a secp256r1 ECDSA signature?

cl flag
sander

According to FIPS 186-4 § D.1.1.5 Choice of Base Points I should be able to create ECDSA signatures with custom base points on P-256 (secp256r1).

Does standard PKCS#11 support this feature?

This is how far I got building example code, based on org.xipki:ipkcs11wrapper:1.0.4 and SoftHSM 2.6.1:

import org.xipki.pkcs11.wrapper.*
import org.xipki.pkcs11.wrapper.PKCS11Constants.*
import org.xipki.pkcs11.wrapper.attrs.Attribute
import java.math.BigInteger
import java.util.*

const val PATH = "/opt/homebrew/lib/softhsm/libsofthsm2.so"
val PIN = "1234".toCharArray()
val MESSAGE = "hello world".toByteArray()
val KEY_ID = AttributeVector(
    Attribute.getInstance(CKA_ID, BigInteger.valueOf(1))
)

fun main() {
    val module = PKCS11Module.getInstance(PATH).apply { initialize() }
    val slot = module.getSlotList(true).first()
    val token = PKCS11Token(slot.token, true, PIN).apply {
        require(supportsMechanism(CKM_ECDSA, CKF_EC_F_P))
        require(!supportsMechanism(CKM_ECDSA, CKF_EC_ECPARAMETERS))
    }
    val key = token.getKey(KEY_ID)
    val params = null // I would expect to be able to set a base point here
    val mechanism = Mechanism(CKM_ECDSA, params)
    val value = token.sign(mechanism, key.id().handle, MESSAGE)
    println(Base64.getEncoder().encodeToString(value))
}

The code runs successfully, including the require assertions. But it still uses the standard base point from P-256. I suspect that the Mechanism parameters configurable, but could not find a reasonable value in the library or in the standard.

91
1 + 2
dave_thompson_085 avatar
cn flag
dave_thompson_085
That choice was stated in 186-4 and -3 (and Appendix 6 of -2) but has rarely if ever been used and is removed in 186-5. In fact all specific curves are removed from FIPS 186-5 and moved to new SP 800-186, where 3.1.1-4 are identical or equivalent to the former D.1.1.1-4, but there is nothing similar to D.1.1.5. That said, 186-5 and 800-186 were finalized less than 3 months ago, and existing implementations wouldn't have dropped formerly valid features so soon; rather **this feature was never popular in the first place**.
3
Reply
sander avatar
cl flag
sander
Thanks for your comment @dave_thompson_085. I will fix the question: where I wrote 186-5 I meant 186-4. Indeed I now see that 186-5 states: “The option to generate elliptic curves (besides those specified in SP 800-186) is removed. Similarly, users are not given the option to generate their own base points on elliptic curves.” Despite the feature not being popular, are you aware of any PKCS#11 support that could be available in actual HSMs?
0
Reply
Score:1
Gilles 'SO- stop being evil' avatar Crypto
cn flag
Gilles 'SO- stop being evil'

ECDSA signing with a standard curve but using custom base point is theoretically allowed by some standards, but it is not common practice and I don't know of any API that supports it. It is not supported by PKCS#11, neither version 2.40 nor version 3.0: in both cases, the ECDSA mechanism does not have a parameter.

Looking at the code of SoftHSM, it supports ECDSA either with a Botan backend or with an OpenSSL backend, neither of which implement an extension to select a custom base point. Which makes sense because SoftHSM intends to be a functional replacement for HSM and most HSM don't have this feature.

You may be able to do ECDSA with secp256r1 but a custom base point by configuring a different curve when creating the key object. You can, in principle, create a private or public key object on a custom curve: the CKA_EC_PARAMS parameter can either specify a named curve or all the curve parameters. But very few libraries or HSM support anything but named curves. Custom curves are risky (if you don't know what you're doing, you can easily choose insecure parameters) and difficult to implement (a lot of optimizations require precise knowledge about the parameters), so they never got popular.

+ 1
sander avatar
cl flag
sander
Thanks for the in-depth answer! Checking with individual HSM vendors now if they support custom `ECParameters` for `CKA_EC_PARAMS`, and ideally extensions to `CKM_ECDSA` that also allow for a per-signature base point choice. If the latter is not supported, I hope to be able to duplicate a key object’s `CKA_VALUE` but with different parameters – but that seems unlikely as it may enable key extraction. On the software side, I’ve checked and at least BouncyCastle 1.67 for Java supports signature creation and verification using custom base points.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.