Hello, PKCS#11 is a standard API interface that can be used in order to access cryptographic tokens. You can find the specification at http://www.rsasecurity.com/rsalabs/node.asp?id=2133, most smartcard and other cryptographic device vendors support PKCS#11, opensc also provides PKCS#11 interface. I can easily make the scard.c, scard-opensc.c and ssh-agent.c support PKCS#11. PKCS#11 is much more portable, standard, used standard than the current opensc implementation. I just written the PKCS#11 support for the openvpn project, and I think openssh can also benefit from the same implementation. Are you interested in merging PKCS#11 support? I don't won't to create a separate branch. After implementing the PKCS#11 support you can drop the opensc code, users can use the opensc PKCS#11 provider in order to access their keys. Does the current implementation of ssh-agent is the final one? I am asking this before I implement code that may be dramatically changed (For example, support X509 and PKIX). Best Regards, Alon Bar-Lev.
On Wed, Oct 05, 2005 at 01:14:57AM +0000, Alon Bar-Lev wrote:> I can easily make the scard.c, scard-opensc.c and > ssh-agent.c support PKCS#11.If you do, may I suggest checking out libp11, also by the OpenSC project. http://www.opensc.org/libp11/ //Peter
Darren J Moffat wrote:> On Wed, 2005-10-05 at 02:14, Alon Bar-Lev wrote: > >>Hello, >> >>PKCS#11 is a standard API interface that can be used in >>order to access cryptographic tokens. You can find the >>specification at >>http://www.rsasecurity.com/rsalabs/node.asp?id=2133, most >>smartcard and other cryptographic device vendors support >>PKCS#11, opensc also provides PKCS#11 interface. > > > Did you get any response on this ? > > We would be very interested in this for Solaris. We use a derivative of > OpenSSH in OpenSolaris. The ssh-agent hasn't changed much, if any. > We also have very extensive PKCS#11 support including a "software > smartcard". > > If you are interested in doing this via OpenSolaris; assuming OpenSSH > isn't interested or you just want to try it with more PKCS#11 libraries > see http://www.opensolaris.org/os/community/security/ or contact us via > security-discuss at opensolaris.org. > > Thanks. >Hello, No I didn't. I am still waiting for a response... I don't think that writing this kind of code is worth the effort, unless it is going to be merged... Maybe I'll just write it and see what happens... Best Regards, Alon Bar-Lev.
Possibly Parallel Threads
- [Bug 591] use PKCS#15 private key label as a comment in case of OpenSC
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
- Outstanding PKCS#11 issues
- [Bug 577] bug (wrong flag) in sc_private_decrypt (scard-opensc.c)