On Tue, Mar 31, 2015 at 3:10 PM, Douglas E Engert <deengert@xxxxxxxxx> wrote: > > > On 3/31/2015 4:23 AM, Thomas Calderon wrote: > >> Hi list, >> >> I have no idea if Damien Miller had the time to work on that. >> >> I have an initial patch to authenticate using PKCS#11 and ECDSA keys. >> This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the >> required interfaces to override the signature function pointer for ECDSA. >> The only limitation is that the OpenSSL API misses some cleanup function >> (finish, for instance), hence I have yet to find a way to properly free >> the >> PKCS#11 resources. >> > > OpenSC, engine_opensc and libp11 versions on github can use OpenSSL-1.0.2 > with ECDSA. > They have the similar problems with memory leaks and ECDSA. But they do > work, > if you can live with the memory leaks,for example to sign a certificate > request > with ECDSA. Well this might be an issue to have the code integrated upstream in OpenSSH. It is a shame that there isn't a clean way to do it. I will try to think of a better approach. In the meantime, I'll integrate it as cleanly as possible and submit it as it is so we can keep a trace of it. > > > >> Is this a contribution you might be interested in ? >> > > Any OpenSSL code to call PKCS#11 directly and eliminate the need for the > engine_opensc > would welcome. > > Sure, the same approach can be used in PKI scenarios to generate a CSR and sign it in an OpenSSL context. > >> >> Cheers, >> >> Thomas Calderon >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> > -- > > Douglas E. Engert <DEEngert@xxxxxxxxx> > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev