Re: Wanted: smartcard with ECDSA support

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On Tue, Mar 31, 2015 at 3:10 PM, Douglas E Engert <deengert@xxxxxxxxx>
wrote:

>
>
> On 3/31/2015 4:23 AM, Thomas Calderon wrote:
>
>> Hi list,
>>
>> I have no idea if Damien Miller had the time to work on that.
>>
>> I have an initial patch to authenticate using PKCS#11 and ECDSA keys.
>> This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the
>> required interfaces to override the signature function pointer for ECDSA.
>> The only limitation is that the OpenSSL API misses some cleanup function
>> (finish, for instance), hence I have yet to find a way to properly free
>> the
>> PKCS#11 resources.
>>
>
> OpenSC, engine_opensc and libp11 versions on github can use OpenSSL-1.0.2
> with ECDSA.
> They have the similar problems with memory leaks and ECDSA. But they do
> work,
> if you can live with the memory leaks,for example to sign a certificate
> request
> with ECDSA.


Well this might be an issue to have the code integrated upstream in OpenSSH.
It is a shame that there isn't a clean way to do it. I will try to think of
a better approach.
In the meantime, I'll integrate it as cleanly as possible and submit it as
it is so we can keep a trace of it.


>
>
>
>> Is this a contribution you might be interested in ?
>>
>
> Any OpenSSL code to call PKCS#11 directly and eliminate the need for the
> engine_opensc
> would welcome.
>
>
Sure, the same approach can be used in PKI scenarios to generate a CSR and
sign it in an OpenSSL context.


>
>>
>> Cheers,
>>
>> Thomas Calderon
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev@xxxxxxxxxxx
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>
> --
>
>  Douglas E. Engert  <DEEngert@xxxxxxxxx>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux