Hello everyone, as you could have noticed over the years, there are several bugs for PKCS#11 improvement and integration which are slipping under the radar for several releases, but the most painful ones are constantly updated by community to build, work and make our lives better. I wrote some of the patches, provided feedback to others, or offered other help here on mailing list, but did not get quite much any feedback, none of the patches (excluding some one-liners) are not incorporated, but usually not yet even reviewed or considered. I believe using PKCS#11 as a store for private keys is a good practice and making OpenSSH work with it is a must. So again, I offering my help in this area not limited to the following bugs (according to complexity and priority): Bug 2430 - ssh-keygen should allow to login before reading public key from smart card Bug 2652 - PKCS11 login skipped if login required and no pin set Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent Bug 2817 - Add support for PKCS#11 URIs (RFC 7512) Bug 2472 - Add support to load additional certificates Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device Namely, the #2638 one will be a big problem after the release of OpenSC 0.18.0 [1], which is no longer allowing the workflow OpenSSH is using. Also in the #2817, there is a resurrection of the soft-pkcs11 module in regress testsuite, which can be later extended to verify also other use cases. [1] https://github.com/OpenSC/OpenSC/pull/1256 Thanks, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
Hi, Sorry for being slow on these - once I've cleared some of my backlog and done the requisite remedial PCKS#11 education then I'll try to take a look at them. -d On Mon, 26 Feb 2018, Jakub Jelen wrote:> Hello everyone, > > as you could have noticed over the years, there are several bugs for > PKCS#11 improvement and integration which are slipping under the radar > for several releases, but the most painful ones are constantly updated > by community to build, work and make our lives better. > > I wrote some of the patches, provided feedback to others, or offered > other help here on mailing list, but did not get quite much any > feedback, none of the patches (excluding some one-liners) are not > incorporated, but usually not yet even reviewed or considered. > > I believe using PKCS#11 as a store for private keys is a good practice > and making OpenSSH work with it is a must. So again, I offering my help > in this area not limited to the following bugs (according to > complexity and priority): > > Bug 2430 - ssh-keygen should allow to login before reading public key > from smart card > Bug 2652 - PKCS11 login skipped if login required and no pin set > Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the > private objects > Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent > Bug 2817 - Add support for PKCS#11 URIs (RFC 7512) > Bug 2472 - Add support to load additional certificates > Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device > > Namely, the #2638 one will be a big problem after the release of OpenSC > 0.18.0 [1], which is no longer allowing the workflow OpenSSH is using. > > Also in the #2817, there is a resurrection of the soft-pkcs11 module in > regress testsuite, which can be later extended to verify also other use > cases. > > [1] https://github.com/OpenSC/OpenSC/pull/1256 > > Thanks, > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat, Inc. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
On Tue, 2018-02-27 at 13:33 +1100, Damien Miller wrote:> Hi, > > Sorry for being slow on these - once I've cleared some of my backlog > and done the requisite remedial PCKS#11 education then I'll try to > take > a look at them.Thank you for the answer. Please, let me know if there will be some clarification, more help, reviews or testing needed. Jakub> > -d > > On Mon, 26 Feb 2018, Jakub Jelen wrote: > > > Hello everyone, > > > > as you could have noticed over the years, there are several bugs > > for > > PKCS#11 improvement and integration which are slipping under the > > radar > > for several releases, but the most painful ones are constantly > > updated > > by community to build, work and make our lives better. > > > > I wrote some of the patches, provided feedback to others, or > > offered > > other help here on mailing list, but did not get quite much any > > feedback, none of the patches (excluding some one-liners) are not > > incorporated, but usually not yet even reviewed or considered. > > > > I believe using PKCS#11 as a store for private keys is a good > > practice > > and making OpenSSH work with it is a must. So again, I offering my > > help > > in this area not limited to the following bugs (according to > > complexity and priority): > > > > Bug 2430 - ssh-keygen should allow to login before reading public > > key > > from smart card > > Bug 2652 - PKCS11 login skipped if login required and no pin set > > Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the > > private objects > > Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent > > Bug 2817 - Add support for PKCS#11 URIs (RFC 7512) > > Bug 2472 - Add support to load additional certificates > > Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device > > > > Namely, the #2638 one will be a big problem after the release of > > OpenSC > > 0.18.0 [1], which is no longer allowing the workflow OpenSSH is > > using. > > > > Also in the #2817, there is a resurrection of the soft-pkcs11 > > module in > > regress testsuite, which can be later extended to verify also other > > use > > cases. > > > > [1] https://github.com/OpenSC/OpenSC/pull/1256 > > > > Thanks, > > -- > > Jakub Jelen > > Software Engineer > > Security Technologies > > Red Hat, Inc. > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
On 2/26/2018 12:00 PM, Jakub Jelen wrote:> Hello everyone, > > as you could have noticed over the years, there are several bugs for > PKCS#11 improvement and integration which are slipping under the radar > for several releases, but the most painful ones are constantly updated > by community to build, work and make our lives better. > > I wrote some of the patches, provided feedback to others, or offered > other help here on mailing list, but did not get quite much any > feedback, none of the patches (excluding some one-liners) are not > incorporated, but usually not yet even reviewed or considered. > > I believe using PKCS#11 as a store for private keys is a good practice > and making OpenSSH work with it is a must. So again, I offering my help > in this area not limited to the following bugs (according to > complexity and priority): > > Bug 2430 - ssh-keygen should allow to login before reading public key > from smart card > Bug 2652 - PKCS11 login skipped if login required and no pin set > Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the > private objects > Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent > Bug 2817 - Add support for PKCS#11 URIs (RFC 7512) > Bug 2472 - Add support to load additional certificates > Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device > > Namely, the #2638 one will be a big problem after the release of OpenSC > 0.18.0 [1], which is no longer allowing the workflow OpenSSH is using. >In response to #2638, Attached are changes to 7.7p1 so the pin is used for both the C_Login(CKU_USER) and C_Login(CKU_CONTEXT_SPECIFIC) It can also work with a pin pad reader if [2] is applied but requires user to enter pin twice. Tested with NIST Demo card using AUTH key and SIGN Key. PIV card enforces "PIN Always" for the SIGN key and OpenSC supports this by returning CKA_ALWAYS_AUTHENTICATE=True for the SIGN key. The Application requests this attribute and if True and does C_Login(CKU_CONTEXT_SPECIFIC) just before the the C_Sign operation.> > [1] https://github.com/OpenSC/OpenSC/pull/1256[2] https://github.com/OpenSC/OpenSC/commit/dac9634d87e38ec899713d36a389816b0435b767 -- Douglas E. Engert <DEEngert at gmail.com> -------------- next part --------------