On Tue, 2018-08-14 at 06:02 +1000, Damien Miller wrote: > On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: > > > Lack of time on the Open Source projects is understandable, and not > > uncommon. > > > > However, PKCS11 has been in the codebase practically forever - the > > ECC > > patches that I saw did not alter the API or such. It is especially > > non-invasive when digital signature is concerned. > > > > Considering how long those patches have been sitting in the queue, > > and > > the continued interest among the users - perhaps you can prioritize > > the integration? > > If someone can recommend hardware and some instructions on how to > set it up that will only improve the changes of this happening > sooner. The pkcs11 tests are even part of the testsuite [1], but comically enough, they are never run. Mostly because the software pkcs11 module is not in repository. The fix for this test was proposed as part of PKCS#11 URI (unfortunately limited to RSA) [2] long time ago alongside with several others offers to help in this direction, but without any followups for years in various email threads and bugs. As already proposed by others, you really do not need to have hardware to implement and test things. There are several software tokens that are very suitable for testing. I would recommend you softhsm [3]. For setting up softhsm token, I use the following script, that I wrote initially for OpenSC and now is simplified and used for libcacard [4], which takes care of configuration, keys and certificates creation and loading them into the software card. Using ECC keys is quite much a change of RSA:1024 string to EC:secp256r1 or other curve. As already said, the yubikey 4 is probably best choice if you really need real hardware. For setting a yubikey, you need yubico-piv-tool which has its features and functinoality explained in manual page [5]. Later on, this works with OpenSC pkcs11 module. [1] https://github.com/openssh/openssh-portable/blob/master/regress/agent-pkcs11.sh [2] https://bugzilla.mindrot.org/show_bug.cgi?id=2817 [3] https://github.com/opendnssec/SoftHSMv2/ [4] https://gitlab.freedesktop.org/spice/libcacard/blob/master/tests/setup-softhsm2.sh [5] https://developers.yubico.com/yubico-piv-tool/Manuals/yubico-piv-tool.1.html -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev