Age Encryption with PKCS11 tokens update

My code to use age encryption with a PKCS11 token has drastically improved in the past couple days. Fewer things hardcoded, although it still assumes you have a NIST P-256 curve on both sides of the exchange. But it derives a shared secret, passes that through a HKDF to make it a reliable key, and can output an age-formatted private or public key. It’s rapidly approaching rough usability.

Some TODO items remain:

  • Verify the derivation scheme makes cryptographic sense
  • Verify the HKDF scheme also makes cryptographic sense
  • Verify that the key curves on both side of the exchange match
  • Support more key curves
  • Find an example test case for a PKCS11 token which expects the public key point to be sent with a DER encoding so I can test that
  • More robust error handling