[Bug 3613] Unable to sign using certificates and PKCS#11
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Apr 4 23:54:24 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3613
--- Comment #18 from aim at orbit.online ---
Yes!! Thank you Damien. This works perfectly!
I only just now had the extra time to get back to it.
I can confirm that I am now able to sign a peer PKCS#11 pubkey with a
CA PKCS#11 key, use the resulting certificate and the peer PKCS#11 key
to sign a file, and then verify that the file has been signed by the
peer and that the peer is trusted through a "cert-authority" in the
allow signers file.
I have attached a Dockerfile and a test script which functionally tests
everything and also demos how it all works together. It can be run with
`docker run --rm $(docker build -q .)`.
The "Good "file" signature for Peer with RSA-CERT key SHA256:..." is
what to look for in the logs.
Again, thank you for your hard work Damien, in a corporate context we
can now do short lived ssh-certs for git commit signing and pushing
while the key itself can reside on a e.g. a YubiKey or a TPM.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list