EdDSA algorithm is not widely supported by most commercially available code signing tools. These instructions cover the tools we have verified to work for the commands below.
Generate keypair
Command:
pkcs11-tool --module <path to smpkcs11.dll> --keypairgen --key-type="<key type>" --label <alias>
Command sample
pkcs11-tool --module C:\Users\Name\Desktop\smctl\smpkcs11.dll --keypairgen --key-type="EC:edwards25519" --label eddsa-key-19101
Sign using keypair
Command:
pkcs11-tool --module <path to smpkcs11.dll> --sign --id <PKCS11 key ID> --mechanism EDDSA --input-file <unsigned file name> --output-file <signature file name>
Command sample:
pkcs11-tool --module C:\Users\Name\Desktop\smctl\smpkcs11.dll --sign --id 35396437316330372d303639362d346335642d626566632d616563376463343865386466 --mechanism EDDSA --input-file client_sign_config.json --output-file client_sign_config_signed.json
Import certificate
Command:
pkcs11-tool --module <path to smpkcs11.dll> --write-object <path to certificate> --type cert --id <certificate alias>
Command sample:
pkcs11-tool --module C:\Users\Name\Desktop\smctl\smpkcs11.dll --write-object C:\Users\Name\Desktop\smctl\linux\eddsa-18209-cert.crt --type cert --id eddsa-key-18209
Generate keypair with pkcs11-tool
Command:
pkcs11-tool --module <path to smpkcs11.so> --keypairgen --key-type="<key algorithm and curve>" --label <keypair alias>
Command sample:
pkcs11-tool --module /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so --keypairgen --key-type="EC:edwards25519" --label eddsa-key-19101
Generate keypair with p11tool
Command:
p11tool --provider <path to smpkcs11.so> --generate-privkey=<algorithm and curve> --label=<keypair alias>
Command sample:
p11tool --provider /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so --generate-privkey=ed25519 --label=eddsa-key-18204
Generate CSR
Command:
p11req -l <path to smpkcs11.so> -i <keypair alias> -d '/CN=<common name of certificate>/OU=<organizational unit of certificate>/C=<country code>' -H <hash algorithm type>
Command sample:
p11req -l /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so -i eddsa-key1 -d '/CN=test/OU=my dept/C=BE' -H sha512
Sign using keypair with pkcs11-tool
Command:
pkcs11-tool --module <path to smpkcs11.dll> --sign --id <PKCS11 key ID> --mechanism EDDSA --input-file <unsigned file name> --output-file <signature file name>
Command sample:
pkcs11-tool --module /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so --sign --id 35396437316330372d303639362d346335642d626566632d616563376463343865386466 --mechanism EDDSA --input-file client_sign_config.json --output-file client_sign_config_signed.json
Import certificate
Command:
p11importcert -l <path to smpkcs11.so> -i <keypair alias> -f <path to certificate> -s 0
Command sample:
p11importcert -l /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so -i eddsa-key-18209 -f /mnt/c/Users/Name/Desktop/smctl/linux/eddsa-18209-cert.crt -s 0
Import keypair
Command:
p11tool --login --write --load-privkey <path to private key> --label "<keypair alias>" --provider <path to smpkcs11.so>
Command sample:
p11tool --login --write --load-privkey /mnt/c/Users/Name/Desktop/smctl/linux/privatekey.pem --label "eddsa-key-imported1" --provider /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so
Tip
To locate PKCS11 key ID:
Run:
pkcs11-tool --module <path to pkcs11.dll or pkcs11.so> --list-objects
Identify the ID field of the keypair, this is the PKCS11 key ID.