[Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Jan 6 01:25:16 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2817

            Bug ID: 2817
           Summary: Add support for PKCS#11 URIs (RFC 7512)
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Smartcard
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 3111
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3111&action=edit
PKCS#11 URI (RFC7512) support

There is a series of patches adding a support for PKCS#11 URIs [1] with
testsuite and improving the existing tests to be actually run against a
software pkcs11 module.

What is currently done:
 * Print PKCS#11 URIs from ssh-keygen
 * Accept PKCS#11 URIs in -i argument to ssh
 * Allow PKCS#11 URI specification in ssh_config
 * Fallback to p11-kit-proxy
 * PKCS#11 URI support for ssh-add and ssh-agent
  * internal representation is PKCS#11 URI

Currently recognized and used parts of PKCS#11 URI:
 * path (optional)
  * object
  * token
  * id
  * manufacturer
 * query (optional)
  * module-path

This allows us to select the key from smart card or HSM with the same
syntax used by other tools working with PKCS#11 devices.

It would be very simple to extend the work to allow specifying various
ways for providing PINs, which is part of the RFC.

The commits are reviewable on github [1] or in the attachment.

[1] https://tools.ietf.org/html/rfc7512
[2] https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list