[Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Jan 6 01:25:16 AEDT 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2817
Bug ID: 2817
Summary: Add support for PKCS#11 URIs (RFC 7512)
Product: Portable OpenSSH
Version: 7.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Smartcard
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 3111
--> https://bugzilla.mindrot.org/attachment.cgi?id=3111&action=edit
PKCS#11 URI (RFC7512) support
There is a series of patches adding a support for PKCS#11 URIs [1] with
testsuite and improving the existing tests to be actually run against a
software pkcs11 module.
What is currently done:
* Print PKCS#11 URIs from ssh-keygen
* Accept PKCS#11 URIs in -i argument to ssh
* Allow PKCS#11 URI specification in ssh_config
* Fallback to p11-kit-proxy
* PKCS#11 URI support for ssh-add and ssh-agent
* internal representation is PKCS#11 URI
Currently recognized and used parts of PKCS#11 URI:
* path (optional)
* object
* token
* id
* manufacturer
* query (optional)
* module-path
This allows us to select the key from smart card or HSM with the same
syntax used by other tools working with PKCS#11 devices.
It would be very simple to extend the work to allow specifying various
ways for providing PINs, which is part of the RFC.
The commits are reviewable on github [1] or in the attachment.
[1] https://tools.ietf.org/html/rfc7512
[2] https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list