openssh bugs - Jan 2018 - [Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

            Bug ID: 2817
           Summary: Add support for PKCS#11 URIs (RFC 7512)
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Smartcard
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 3111
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3111&action=edit
PKCS#11 URI (RFC7512) support

There is a series of patches adding a support for PKCS#11 URIs [1] with
testsuite and improving the existing tests to be actually run against a
software pkcs11 module.

What is currently done:
 * Print PKCS#11 URIs from ssh-keygen
 * Accept PKCS#11 URIs in -i argument to ssh
 * Allow PKCS#11 URI specification in ssh_config
 * Fallback to p11-kit-proxy
 * PKCS#11 URI support for ssh-add and ssh-agent
  * internal representation is PKCS#11 URI

Currently recognized and used parts of PKCS#11 URI:
 * path (optional)
  * object
  * token
  * id
  * manufacturer
 * query (optional)
  * module-path

This allows us to select the key from smart card or HSM with the same
syntax used by other tools working with PKCS#11 devices.

It would be very simple to extend the work to allow specifying various
ways for providing PINs, which is part of the RFC.

The commits are reviewable on github [1] or in the attachment.

[1] https://tools.ietf.org/html/rfc7512
[2] https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |n.mavrogiannopoulos at gmail.c
                   |                            |om

--- Comment #1 from Nikos Mavrogiannopoulos <n.mavrogiannopoulos at
gmail.com> ---
In my opinion the biggest advantage of this patch set is the ability to
be specific on the keys to use from a token/smart card. That is, no
longer sends the server each and every key present in the card, but
only the one specified by the user.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3111|0                           |1
        is obsolete|                            |

--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 3119
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3119&action=edit
PKCS#11 URI (RFC7512) support v2

I uploaded a new version of the patch, which is removing the PKCS11URI
configuration option and instead the URI can be provided to
IdentityFile configuration option with prefix "pkcs11:".

The changes to the code are minimal (the largest part is the testing
soft-pkcs11 module):

 Makefile.in                       |   24 +-
 configure.ac                      |   37 ++
 readconf.c                        |    5 +-
 regress/Makefile                  |    9 +-
 regress/agent-pkcs11.sh           |   13 +-
 regress/locl.h                    |   79 +++
 regress/pkcs11.sh                 |  285 +++++++++
 regress/soft-pkcs11.c             | 2058
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 regress/unittests/Makefile        |    2 +-
 regress/unittests/pkcs11/Makefile |    9 +
 regress/unittests/pkcs11/tests.c  |  329 ++++++++++
 ssh-add.c                         |   26 +
 ssh-agent.c                       |   99 ++-
 ssh-keygen.c                      |    1 +
 ssh-pkcs11-client.c               |    3 +
 ssh-pkcs11-uri.c                  |  399 ++++++++++++
 ssh-pkcs11-uri.h                  |   41 ++
 ssh-pkcs11.c                      |  266 ++++++--
 ssh-pkcs11.h                      |    5 +
 ssh.c                             |   99 ++-
 ssh_config.5                      |   13 +
 21 files changed, 3699 insertions(+), 103 deletions(-)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

Thomas Jarosch <thomas.jarosch at intra2net.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |thomas.jarosch at intra2net.co
                   |                            |m

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
I added some more tests and fixed the functionality of loading and
unloading the keys per-uri instead of per-pkcs11-module as it used to
be. The patches are available in my the github branch and in copr.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

David Woodhouse <dwmw2 at infradead.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dwmw2 at infradead.org

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |pkcs11
                 CC|                            |djm at mindrot.org

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

egberts at yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |egberts at yahoo.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

--- Comment #4 from Jakub Jelen <jjelen at redhat.com> ---
The updated and rebased change is still available here

https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
https://github.com/Jakuje/openssh-portable/commit/ed3eaf7d

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

Orion Poplawski <orion at nwra.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |orion at nwra.com

--- Comment #5 from Orion Poplawski <orion at nwra.com> ---
This would be very helpful to us.  We have multiple certificates on our
smart cards and are now running into issues where connections fail
because of too many authentication failures while trying the other
certificates on the card.  Please adopt this or at least comment as to
why it isn't acceptable.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

Dirk-Willem van Gulik <dirkx at webweaving.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dirkx at webweaving.org

--- Comment #6 from Dirk-Willem van Gulik <dirkx at webweaving.org> ---
Rebased version tested on OSX and FreeBSD. In production without any
issues for 3 months. Works very well & is very useful.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

daemonhorn at nullcore.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |daemonhorn at nullcore.com

--- Comment #7 from daemonhorn at nullcore.com ---
This would be helpful on multiple platforms for me (Windows, FreeBSD,
Linux).  I'm willing to assist with regression testing if I can help
expedite this patch landing.

Is there are committer that is willing to pickup and merge ?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.