Feature : New key on token not only RSA

[antonio-fr]

When creating a new key, the hardware tokens are listed among the key types. And the actual key type for a key created on a token is inferred to be RSA. One can only create RSA keys on a token. It would be a great feature if that limitation were not present.

For example, an additional field about key medium : "software", "token1", "token2",... and then the current selector fields "types". So we can create whatever type we want on a token (ofc limited by the token ability).

[chris2511]

This is already supported It is actually limited by the token ability .....

[ARGYROU-MINAS]

This is already supported It is actually limited by the token ability .....

I can corroborate that, as of version 2.4.0 (2021) on Windows, the ECC options are NOT displayed, even though the tokens support ECC (I have tested on multiple different token models).

[chris2511]

XCA calls the PKCS#11 function C_GetMechanismListand looks for ...KEY-PAIR-GEN

$ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -M | grep KEY-PAIR-GEN
Using slot 0 with a present token (0x60704b6)
  DSA-KEY-PAIR-GEN, keySize={512,1024}, generate_key_pair
  ECDSA-KEY-PAIR-GEN, keySize={112,521}, generate_key_pair, other flags=0x1900000
  RSA-PKCS-KEY-PAIR-GEN, keySize={512,16384}, generate_key_pair

The PKSC11 middleware must return those mechanisms to be recognized by XCA in the key-generation dialog. Can you check that your middleware offers those mechanisms ?

[ARGYROU-MINAS]

ized by XCA in the key-generation dialog. Can you check that your middleware offers those m

Example with a YubiKey:

ECDSA is available as a mechanism.

[antonio-fr]

Turns out this feature request might be a bug issue after all.