bugzilla-daemon at mindrot.org
2013-Mar-06 19:01 UTC
[Bug 2075] New: [PATCH] Enable key pair generation on a PCKS#11 device
https://bugzilla.mindrot.org/show_bug.cgi?id=2075
Bug ID: 2075
Summary: [PATCH] Enable key pair generation on a PCKS#11 device
Classification: Unclassified
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: rmcilroy at google.com
Created attachment 2225
--> https://bugzilla.mindrot.org/attachment.cgi?id=2225&action=edit
Pkcs11 key-pair generation patch
This patch enables ssh-keygen to generate an RSA public/private key
pair on a PKCS#11 device (such as a TPM). Once the keys have been
created on the PKCS#11 device, the public identity file is created as
normal, but a new private key format is introduced to signal that the
key needs to be loaded from an external device.
My plan is to augment this pkcs11 private key identity file format to
enable automatic loading of the external key (e.g., without setting
PKCS11Provider or using the -I option), but I wanted to run this by
people first.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Jul-12 01:08 UTC
[Bug 2075] [PATCH] Enable key pair generation on a PCKS#11 device
https://bugzilla.mindrot.org/show_bug.cgi?id=2075
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org,
| |markus at openbsd.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Markus - can you take a look at this?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Feb-22 15:06 UTC
[Bug 2075] [PATCH] Enable key pair generation on a PCKS#11 device
https://bugzilla.mindrot.org/show_bug.cgi?id=2075
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
Using ssh-keygen to generate keys on PKCS#11 device is interesting
idea, that I would clearly welcome to avoid using many other tools to
generate keys on smart cards.
But I don't think referring to this key using external file is a way to
go. Can it be done without it? It would simplify the patch by a great
deal.
Also I don't think that the generated key should have the CKA_DECRYPT
attribute set, if it should be used for SSH.
Otherwise, the key-generation changes look reasonable.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- Outstanding PKCS#11 issues
- [Bug 2620] New: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
- [Bug 2635] New: Unable to use SSH Agent and user level PKCS11Provider configuration directive
- [Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.