On 03/31/2015 11:23 AM, Thomas Calderon wrote:
Hi list,
I have no idea if Damien Miller had the time to work on that.
I have an initial patch to authenticate using PKCS#11 and ECDSA keys.
This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the
required interfaces to override the signature function pointer for ECDSA.
The only limitation is that the OpenSSL API misses some cleanup function
(finish, for instance), hence I have yet to find a way to properly free the
PKCS#11 resources.
Is this a contribution you might be interested in ?
Hello list,
sorry for pulling such old thread up. But I recently moved into the
smartcard
waters and I found the missing functionality of ECDSA keys quite
unfortunate.
I have access to the PIV Test cards by NIST [1] so I can work on this
functionality.
As far as I remember, both of the patches hanging around [2] [3] were
working to
some extent, but in other exposed some non-ideal behavior and were not
adhering
to the best practices of PKCS#11 [4], which I found quite useful when
implementing
some other tool communicating over PKCS#11.
But before starting investing time into these improvements, I would like
to see if there is
some progress in upstream OpenSSH, a way to test (or if the ECDSA cards
donation
request is still actual blocker) and willingness to accept this feature
(and possibly other
PKCS#11 related).
[1] http://csrc.nist.gov/groups/SNS/piv/testcards.html
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=2474
[3] https://ambientworks.net/ecdsa-ssh.txt
[4] https://wiki.oasis-open.org/pkcs11/CommonBugs
Regards,
--
Jakub Jelen
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
