On 3/31/2015 11:02 AM, Thomas Calderon wrote:
On Tue, Mar 31, 2015 at 3:10 PM, Douglas E Engert <deengert@xxxxxxxxx <mailto:deengert@xxxxxxxxx>> wrote:
On 3/31/2015 4:23 AM, Thomas Calderon wrote:
Hi list,
I have no idea if Damien Miller had the time to work on that.
I have an initial patch to authenticate using PKCS#11 and ECDSA keys.
This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the
required interfaces to override the signature function pointer for ECDSA.
The only limitation is that the OpenSSL API misses some cleanup function
(finish, for instance), hence I have yet to find a way to properly free the
PKCS#11 resources.
OpenSC, engine_opensc and libp11 versions on github can use OpenSSL-1.0.2 with ECDSA.
They have the similar problems with memory leaks and ECDSA. But they do work,
if you can live with the memory leaks,for example to sign a certificate request
with ECDSA.
Well this might be an issue to have the code integrated upstream in OpenSSH.
It is a shame that there isn't a clean way to do it. I will try to think of a better approach.
In the meantime, I'll integrate it as cleanly as possible and submit it as it is so we can keep a trace of it.
Is this a contribution you might be interested in ?
Any OpenSSL code to call PKCS#11 directly and eliminate the need for the engine_opensc
would welcome.
Sure, the same approach can be used in PKI scenarios to generate a CSR and sign it in an OpenSSL context.
I am on the OpenSC, OpenSSL and OpenSSH lists. When I responded to you I was thinking the message was from the OpenSSL list,
thus the comments about PKCS#11 and OpenSSL. Sorry about the confusion.
You are right in that the OpenSSL does miss some cleanup for ECC.See OpenSSL bug report on ECC METHOD code committed and comment on no init and finish:
http://rt.openssl.org/Ticket/Display.html?id=2459#txn-50343
Cheers,
Thomas Calderon
_________________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx <mailto:openssh-unix-dev@xxxxxxxxxxx>
https://lists.mindrot.org/__mailman/listinfo/openssh-unix-__dev <https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
--
Douglas E. Engert <DEEngert@xxxxxxxxx <mailto:DEEngert@xxxxxxxxx>>
_________________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx <mailto:openssh-unix-dev@xxxxxxxxxxx>
https://lists.mindrot.org/__mailman/listinfo/openssh-unix-__dev <https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
--
Douglas E. Engert <DEEngert@xxxxxxxxx>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
