openssh bugs - Mar 2013 - [Bug 2075] New: [PATCH] Enable key pair generation on a PCKS#11 device

https://bugzilla.mindrot.org/show_bug.cgi?id=2075

            Bug ID: 2075
           Summary: [PATCH] Enable key pair generation on a PCKS#11 device
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rmcilroy at google.com

Created attachment 2225
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2225&action=edit
Pkcs11 key-pair generation patch

This patch enables ssh-keygen to generate an RSA public/private key
pair on a PKCS#11 device (such as a TPM).  Once the keys have been
created on the PKCS#11 device, the public identity file is created as
normal, but a new private key format is introduced to signal that the
key needs to be loaded from an external device.  

My plan is to augment this pkcs11 private key identity file format to
enable automatic loading of the external key (e.g., without setting
PKCS11Provider or using the -I option), but I wanted to run this by
people first.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2075

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org,
                   |                            |markus at openbsd.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Markus - can you take a look at this?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2075

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
Using ssh-keygen to generate keys on PKCS#11 device is interesting
idea, that I would clearly welcome to avoid using many other tools to
generate keys on smart cards.

But I don't think referring to this key using external file is a way to
go. Can it be done without it? It would simplify the patch by a great
deal.

Also I don't think that the generated key should have the CKA_DECRYPT
attribute set, if it should be used for SSH.

Otherwise, the key-generation changes look reasonable.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.