Re: Wanted: smartcard with ECDSA support

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 





On 3/31/2015 11:02 AM, Thomas Calderon wrote:


On Tue, Mar 31, 2015 at 3:10 PM, Douglas E Engert <deengert@xxxxxxxxx <mailto:deengert@xxxxxxxxx>> wrote:



    On 3/31/2015 4:23 AM, Thomas Calderon wrote:

        Hi list,

        I have no idea if Damien Miller had the time to work on that.

        I have an initial patch to authenticate using PKCS#11 and ECDSA keys.
        This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the
        required interfaces to override the signature function pointer for ECDSA.
        The only limitation is that the OpenSSL API misses some cleanup function
        (finish, for instance), hence I have yet to find a way to properly free the
        PKCS#11 resources.


    OpenSC, engine_opensc and libp11 versions on github can use OpenSSL-1.0.2 with ECDSA.
    They have the similar problems with memory leaks and ECDSA. But they do work,
    if you can live with the memory leaks,for example to sign a certificate request
    with ECDSA.


Well this might be an issue to have the code integrated upstream in OpenSSH.
It is a shame that there isn't a clean way to do it. I will try to think of a better approach.
In the meantime, I'll integrate it as cleanly as possible and submit it as it is so we can keep a trace of it.




        Is this a contribution you might be interested in ?


    Any OpenSSL code to call PKCS#11 directly and eliminate the need for the engine_opensc
    would welcome.


Sure, the same approach can be used in PKI scenarios to generate a CSR and sign it in an OpenSSL context.

I am on the OpenSC, OpenSSL and OpenSSH lists. When I responded to you I was thinking the message was from the OpenSSL list,
thus the comments about PKCS#11 and OpenSSL. Sorry about the confusion.

You are right in that the OpenSSL does miss some cleanup for ECC.See OpenSSL bug report on ECC METHOD code committed and comment on no init and finish:
http://rt.openssl.org/Ticket/Display.html?id=2459#txn-50343




        Cheers,

        Thomas Calderon
        _________________________________________________
        openssh-unix-dev mailing list
        openssh-unix-dev@xxxxxxxxxxx <mailto:openssh-unix-dev@xxxxxxxxxxx>
        https://lists.mindrot.org/__mailman/listinfo/openssh-unix-__dev <https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>


    --

      Douglas E. Engert  <DEEngert@xxxxxxxxx <mailto:DEEngert@xxxxxxxxx>>

    _________________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@xxxxxxxxxxx <mailto:openssh-unix-dev@xxxxxxxxxxx>
    https://lists.mindrot.org/__mailman/listinfo/openssh-unix-__dev <https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>



--

 Douglas E. Engert  <DEEngert@xxxxxxxxx>

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux