openssh bugs - Jul 2008 - [Bug 1498] New: OpenSC smartcard access should use raw public keys, not X.509 certificates

https://bugzilla.mindrot.org/show_bug.cgi?id=1498

           Summary: OpenSC smartcard access should use raw public keys,
                    not X.509 certificates
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Keywords: patch
          Severity: normal
          Priority: P2
         Component: Smartcard
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: dkg at fifthhorseman.net


Created an attachment (id=1555)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1555)
patch so that OpenSC uses public keys instead of certificates

The OpenSC smartcard framework supports access to both raw public keys
and X.509 certificates on crypto tokens.  When OpenSSH is compiled
--with-opensc, it currently looks for X.509 certificates on any
smartcard it uses.  But OpenSSH itself uses raw public keys (and not
X.509), so requiring the presence of an X.509 cert on the smartcard is
unnecessary and potentially problematic.

Everyone who has an X.509 certificate already has (embedded in the
cert) a public key.  But you can load a raw key onto a card without
having a certificate.  So raw keys would seem to be the lowest common
denominator.  Is there some other reason to require an X.509
certificate that i'm missing?

The attached patch allows OpenSSH to use certificateless RSA keys on
any OpenSC-supported hardware crypto token.  Fixing this bug also
simplifies the sc_read_pubkey() implementation, reduces the number of
#includes in scard-opensc.c, and removes a compilation warning, for
whatever that's worth.

The patch was developed and tested against openssh 4.7p1 (from debian
unstable), but it also applies cleanly to CVS HEAD.  I used
libopensc2-dev version 0.11.4, and did my testing against an Axalto
CryptoFlex eGate 32k hardware token.

I'd appreciate any feedback on the patch.  If i can do anything to
encourage its adoption into the upstream codebase, let me know what it
needs.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1498





--- Comment #1 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> 
2008-08-01 07:47:24 ---
This was initially reported on 2008-06-20 on openssh-unix-dev:

  http://marc.info/?l=openssh-unix-dev&m=121394687518903&w=2

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1498


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org




--- Comment #2 from Damien Miller <djm at mindrot.org>  2009-01-21
21:36:18 ---
I don't know enough about OpenSC to render an opinion on this, and I
suspect that the other active developers are in the same boat. I'd
suggest that you solicit some feedback and testing on the
openssh-unix-dev@ mailing list as a way to move this forward.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1498





--- Comment #3 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> 
2009-01-22 03:40:24 ---
The consensus on the list seemed to be that the patch was *not*
acceptable as it currently stands because apparently some devices offer
certificates but not raw public keys.  Unfortunately no one identified
a specific device, so i have no way of testing.

Probably the right thing to do is to scan for both types of object, to
be able to handle both cases.  This makes the code bulkier, but if
there's no objection to that, i'll try to cook up a patch.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1498

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #4 from Damien Miller <djm at mindrot.org>  ---
Rendered obsolete by the replacement of OpenSC with PKCS#11, which
incidentally uses certificates by default :)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1498

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> 2011-01-24 12:34:01
EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.