[Bug 3613] Unable to sign using certificates and PKCS#11

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Apr 4 23:54:24 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3613

--- Comment #18 from aim at orbit.online ---
Yes!! Thank you Damien. This works perfectly!

I only just now had the extra time to get back to it.

I can confirm that I am now able to sign a peer PKCS#11 pubkey with a
CA PKCS#11 key, use the resulting certificate and the peer PKCS#11 key
to sign a file, and then verify that the file has been signed by the
peer and that the peer is trusted through a "cert-authority" in the
allow signers file.

I have attached a Dockerfile and a test script which functionally tests
everything and also demos how it all works together. It can be run with
`docker run --rm $(docker build -q .)`.

The "Good "file" signature for Peer with RSA-CERT key SHA256:..." is
what to look for in the logs.

Again, thank you for your hard work Damien, in a corporate context we
can now do short lived ssh-certs for git commit signing and pushing
while the key itself can reside on a e.g. a YubiKey or a TPM.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list