[RFC 0/2] add engine based keys

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Engine keys are private key files which are only understood by openssl
external engines.  The problem is they can't be loaded with the usual
openssl methods, they have to be loaded via ENGINE_load_private_key().
 Because they're files, they fit well into openssh pub/private file
structure, so they're not very appropriately handled by the pkcs11
interface because it assumes the private keys are already present in
some token (so there's no way to pass in a file name).

The candidate I have for this is openssh private keys based in the
trusted platform module (either tpm 1.2 or tpm 2.0 ... we have engines
for both).

This is an example of my tpm2 based private/public ssh-key:

jejb@jarvis:~> ssh-add -o tpm2 /home/jejb/.ssh/id_rsa
Enter engine key passphrase:
jejb@jarvis:~> ssh-add -l
2048 SHA256:ZAv7jrI2bB2VBgk5jHA1g/fe4rVX1GqyCdPwF0ELU9k jejb@mulgrave (RSA)
jejb@jarvis:~> cat .ssh/id_rsa
-----BEGIN TSS2 KEY BLOB-----
MIICAAYFZ4EFCgKgAwEBAKEHAgUAgQAAAaKCARwEggEYARYAAQALAAIEQAAAABAA
EAgAAAAAAAEAp0rC+B6BvAl6ySgNggwBSYvkcvBFGIC5bs1/s0NtYkoZ5QnpafHY
7qHvqvvell9lRk58UDyRgGFFzSFvq0/YN4PJoG4ywMWHnOABzoIq/y5RAQgER6OE
lrnvS9on9J5epy7tT7nQkCCjO+Oz3849UeFX1m6DFOJuir5GhYD968CZGfemjRyO
LLEQ4dxF75Q/74seg2cdE+1BA6Q94nHOmcgNpJsprRgoNfpwFkU1iJrJ8oURUyCb
1cPsS+4kehgaCCTQ/Nkqcz9d2feaMLi5ukBj1qMOV4KdxS4KIfins1O6l2Yde1oe
QDUW4AjWSQ3OHwwYVzvqDWZmlPG3NAFvEQSByADGACDZDFvuD6MUiE9vmkRZ2wYt
kZVJPBp817eKWmDnkII71QAQ5oxhXbJERo+p5KeQWlf/CCtxK8NRbK/FKAwg0/Uu
HoSDBT+gQ8S62pLD+qBDyXO4eFj0moxCX+shqlvo34rig2WF+Y/5NNhZg+2COdXt
45b/MO9jUPsXjCDPUm1f1NaVztK45/Wddk4m2lZ9TCDU7MOK140pcB5Ewricw61b
st+nmmUtgIPUxxWc3uMcVATjJP2EWrFnmdRgbKXcVT8olHa+
-----END TSS2 KEY BLOB-----


Where openssl_tpm2_engine is available here:

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engin
e.git/

---

James Bottomley (2):
  Add support for openssl engine based keys
  engine: add "any" engine mechanism and make it the default

 Makefile.in  |   4 +-
 authfd.c     |  45 +++++++++++++++
 authfd.h     |   7 +++
 ssh-add.c    |  41 +++++++++++--
 ssh-agent.c  |  82 ++++++++++++++++++++++++++
 ssh-engine.c | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 ssh-engine.h |  10 ++++
 7 files changed, 367 insertions(+), 7 deletions(-)
 create mode 100644 ssh-engine.c
 create mode 100644 ssh-engine.h

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux