[Bug 1498] New: OpenSC smartcard access should use raw public keys, not X.509 certificates

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Aug 1 07:46:44 EST 2008


           Summary: OpenSC smartcard access should use raw public keys,
                    not X.509 certificates
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Keywords: patch
          Severity: normal
          Priority: P2
         Component: Smartcard
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: dkg at fifthhorseman.net

Created an attachment (id=1555)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1555)
patch so that OpenSC uses public keys instead of certificates

The OpenSC smartcard framework supports access to both raw public keys
and X.509 certificates on crypto tokens.  When OpenSSH is compiled
--with-opensc, it currently looks for X.509 certificates on any
smartcard it uses.  But OpenSSH itself uses raw public keys (and not
X.509), so requiring the presence of an X.509 cert on the smartcard is
unnecessary and potentially problematic.

Everyone who has an X.509 certificate already has (embedded in the
cert) a public key.  But you can load a raw key onto a card without
having a certificate.  So raw keys would seem to be the lowest common
denominator.  Is there some other reason to require an X.509
certificate that i'm missing?

The attached patch allows OpenSSH to use certificateless RSA keys on
any OpenSC-supported hardware crypto token.  Fixing this bug also
simplifies the sc_read_pubkey() implementation, reduces the number of
#includes in scard-opensc.c, and removes a compilation warning, for
whatever that's worth.

The patch was developed and tested against openssh 4.7p1 (from debian
unstable), but it also applies cleanly to CVS HEAD.  I used
libopensc2-dev version 0.11.4, and did my testing against an Axalto
CryptoFlex eGate 32k hardware token.

I'd appreciate any feedback on the patch.  If i can do anything to
encourage its adoption into the upstream codebase, let me know what it

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list