[Opendnssec-develop] Adding ECC to ods-signer
Rick van Rein
rick at openfortress.nl
Mon Sep 26 12:32:52 UTC 2016
Hi,
> I have been asked by SURFnet to enhance the ods-signer with Elliptic
> Curve algorithms. You are probably aware of the research that has been
> done by Roland, which turns out in favour of ECDSA signatures.
>
I was happy to find ECDSA on P-256 and P-384 already setup in libhsm,
thanks to Rickard!
And if I'm not mistaken... that is all that is needed? At least it looks
like the ods-signer is pretty agnostic about algorithms, it only loads the
DNS algorithm id from .signconf and libhsm() finds the PKCS #11 algorithm
by looking at the CKA_KEY_TYPE for the handle to the keys. Cool :)
I found and ran the hsmtest, including
Generating ECDSA Curve P-256 key... OK
Extracting key identifier... OK, fa9f31f32e1bc52ca7b153ee7667b079
Signing (ECDSA/SHA256) with key... OK
Deleting key... OK
Generating ECDSA Curve P-384 key... OK
Extracting key identifier... OK, 3d4aa6e60123480507a2b2e20d6dc52a
Signing (ECDSA/SHA384) with key... OK
Deleting key... OK
Has signing with ods-signer on zones already been tested? I didn't
find it in the OpenDNSSEC release notes (the site finds ECDSA mentioned
only in conjunction with SoftHSMv2).
I had understood ECDSA wasn't supported, but it now looks like it is all
ready for use under RFC 6605! Is there work that is left to be done?
Please let me know if there is :)
Thanks,
-Rick
More information about the Opendnssec-develop
mailing list