[Bug 3613] New: Unable to sign using certificates and PKCS#11

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 11 20:59:48 AEST 2023 

https://bugzilla.mindrot.org/show_bug.cgi?id=3613

            Bug ID: 3613
           Summary: Unable to sign using certificates and PKCS#11
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: aim at orbit.online

>From my own experimentation and from looking at the code and some of
the reported bugs here I believe it is currently not possible to sign
arbitrary data with ssh-keygen and an SSH certificate (e.g. for git
commit signing, verified using @cert-authority).

I have tried specifying the certificate when invoking ssh-keygen with
```
$ ssh-add -e /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
$ ssh-keygen -Y sign -f ~/.ssh/id_rsa-cert.pub -n file test.txt
debug2: hash_file: hashed 3401 bytes
debug3: hash_file: final hash:
1239125ebf618d51bfe64e65dce15530a7a3c9c230438b537564261473c050cd915185a8c19dbb85f40e4faf4367a9779fc54564bcc8de0824e42004c3e3777f
Couldn't sign message (signer): agent refused operation
Signing config/git/config failed: agent refused operation
```

though the `-f` option seems to be ignored and the `ssh-agent` looks
for an RSA-CERT when only RSA keys are loaded:

```
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
debug1: process_add
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0:
manufacturerID <PKCS#11 Kit> cryptokiVersion 2.40 libraryDescription
<PKCS#11 Kit Proxy Module> libraryVersion 1.1
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0:
label <YubiKey PIV #19258332> manufacturerID <Yubico (www.yubico.com)>
model <YubiKey YK5> serial <19258332> flags 0x40d
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug1: have 2 keys
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee71a0 ptr 0x55878dee5e90 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee68c0 ptr 0x55878dee6290 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee7640 ptr 0x55878dee5f20 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug3: identity_permitted: entering: key RSA comment "Public key for
PIV Authentication", 0 socket bindings, 0 constraints
debug3: identity_permitted: entering: key RSA comment "Public key for
PIV Attestation", 0 socket bindings, 0 constraints
debug2: process_request_identities: replying with 2 allowed of 2
available keys
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
process_sign_request2: RSA-CERT key not found
```

It is also not possible to get `ssh-agent` to load the certificate
with:
```
$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
~/.ssh/id_rsa-cert.pub
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
```

Where the `ssh-agent` looks like this:
```
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
debug1: process_add
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0:
manufacturerID <PKCS#11 Kit> cryptokiVersion 2.40 libraryDescription
<PKCS#11 Kit Proxy Module> libraryVersion 1.1
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0:
label <YubiKey PIV #19258332> manufacturerID <Yubico (www.yubico.com)>
model <YubiKey YK5> serial <19258332> flags 0x40d
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug1: have 2 keys
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee9c50 ptr 0x55878dee87d0 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee83b0 ptr 0x55878dee8c90 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878deea160 ptr 0x55878dee8cc0 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
```
```

A workaround would be to somehow support the `-O CertificateFile`
option in `ssh-keygen` like `ssh` does. 
A more robust way to solve this would of course be to support loading
certificate files into the ssh-agent.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list