[Bug 1498] New: OpenSC smartcard access should use raw public keys, not X.509 certificates
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Aug 1 07:46:44 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1498
Summary: OpenSC smartcard access should use raw public keys,
not X.509 certificates
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.1p1
Platform: Other
OS/Version: Linux
Status: NEW
Keywords: patch
Severity: normal
Priority: P2
Component: Smartcard
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: dkg at fifthhorseman.net
Created an attachment (id=1555)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1555)
patch so that OpenSC uses public keys instead of certificates
The OpenSC smartcard framework supports access to both raw public keys
and X.509 certificates on crypto tokens. When OpenSSH is compiled
--with-opensc, it currently looks for X.509 certificates on any
smartcard it uses. But OpenSSH itself uses raw public keys (and not
X.509), so requiring the presence of an X.509 cert on the smartcard is
unnecessary and potentially problematic.
Everyone who has an X.509 certificate already has (embedded in the
cert) a public key. But you can load a raw key onto a card without
having a certificate. So raw keys would seem to be the lowest common
denominator. Is there some other reason to require an X.509
certificate that i'm missing?
The attached patch allows OpenSSH to use certificateless RSA keys on
any OpenSC-supported hardware crypto token. Fixing this bug also
simplifies the sc_read_pubkey() implementation, reduces the number of
#includes in scard-opensc.c, and removes a compilation warning, for
whatever that's worth.
The patch was developed and tested against openssh 4.7p1 (from debian
unstable), but it also applies cleanly to CVS HEAD. I used
libopensc2-dev version 0.11.4, and did my testing against an Axalto
CryptoFlex eGate 32k hardware token.
I'd appreciate any feedback on the patch. If i can do anything to
encourage its adoption into the upstream codebase, let me know what it
needs.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list