Tools that support EdDSA algorithm signing
Preface
EdDSA algorithm is not widely supported by most commercially available code signing tools. These instructions cover the tools we have verified to work for the commands below.
Tools that support EdDSA
Windows | Linux |
---|---|
pkcs11-tool | p11importcert |
p11req | |
p11tool |
Commands for Windows and Linux
Windows
Generate keypair
Command:
pkcs11-tool --module <path to smpkcs11.dll> --keypairgen --key-type="<key type>" --label <alias>
Command sample
pkcs11-tool --module C:\Users\Name\Desktop\smctl\smpkcs11.dll --keypairgen --key-type="EC:edwards25519" --label eddsa-key-19101
Sign using keypair
Command:
pkcs11-tool --module <path to smpkcs11.dll> --sign --id <PKCS11 key ID> --mechanism EDDSA --input-file <unsigned file name> --output-file <signature file name>
Command sample:
pkcs11-tool --module C:\Users\Name\Desktop\smctl\smpkcs11.dll --sign --id 35396437316330372d303639362d346335642d626566632d616563376463343865386466 --mechanism EDDSA --input-file client_sign_config.json --output-file client_sign_config_signed.json
Import certificate
Command:
pkcs11-tool --module <path to smpkcs11.dll> --write-object <path to certificate> --type cert --id <certificate alias>
Command sample:
pkcs11-tool --module C:\Users\Name\Desktop\smctl\smpkcs11.dll --write-object C:\Users\Name\Desktop\smctl\linux\eddsa-18209-cert.crt --type cert --id eddsa-key-18209
Linux
Generate keypair with pkcs11-tool
Command:
pkcs11-tool --module <path to smpkcs11.so> --keypairgen --key-type="<key algorithm and curve>" --label <keypair alias>
Command sample:
pkcs11-tool --module /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so --keypairgen --key-type="EC:edwards25519" --label eddsa-key-19101
Generate keypair with p11tool
Command:
p11tool --provider <path to smpkcs11.so> --generate-privkey=<algorithm and curve> --label=<keypair alias>
Command sample:
p11tool --provider /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so --generate-privkey=ed25519 --label=eddsa-key-18204
Generate CSR
Command:
p11req -l <path to smpkcs11.so> -i <keypair alias> -d '/CN=<common name of certificate>/OU=<organizational unit of certificate>/C=<country code>' -H <hash algorithm type>
Command sample:
p11req -l /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so -i eddsa-key1 -d '/CN=test/OU=my dept/C=BE' -H sha512
Sign using keypair with pkcs11-tool
Command:
pkcs11-tool --module <path to smpkcs11.dll> --sign --id <PKCS11 key ID> --mechanism EDDSA --input-file <unsigned file name> --output-file <signature file name>
Command sample:
pkcs11-tool --module /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so --sign --id 35396437316330372d303639362d346335642d626566632d616563376463343865386466 --mechanism EDDSA --input-file client_sign_config.json --output-file client_sign_config_signed.json
Import certificate
Command:
p11importcert -l <path to smpkcs11.so> -i <keypair alias> -f <path to certificate> -s 0
Command sample:
p11importcert -l /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so -i eddsa-key-18209 -f /mnt/c/Users/Name/Desktop/smctl/linux/eddsa-18209-cert.crt -s 0
Import keypair
Command:
p11tool --login --write --load-privkey <path to private key> --label "<keypair alias>" --provider <path to smpkcs11.so>
Command sample:
p11tool --login --write --load-privkey /mnt/c/Users/Name/Desktop/smctl/linux/privatekey.pem --label "eddsa-key-imported1" --provider /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so
Dica
To locate PKCS11 key ID:
Run:
pkcs11-tool --module <path to pkcs11.dll or pkcs11.so> --list-objects
Identify the ID field of the keypair, this is the PKCS11 key ID.