Wanted: smartcard with ECDSA support

[Thomas Calderon]

On Tue, Mar 31, 2015 at 3:10 PM, Douglas E Engert <deengert at gmail.com>
wrote:

>
>
> On 3/31/2015 4:23 AM, Thomas Calderon wrote:
>
>> Hi list,
>>
>> I have no idea if Damien Miller had the time to work on that.
>>
>> I have an initial patch to authenticate using PKCS#11 and ECDSA keys.
>> This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the
>> required interfaces to override the signature function pointer for ECDSA.
>> The only limitation is that the OpenSSL API misses some cleanup function
>> (finish, for instance), hence I have yet to find a way to properly free
>> the
>> PKCS#11 resources.
>>
>
> OpenSC, engine_opensc and libp11 versions on github can use OpenSSL-1.0.2
> with ECDSA.
> They have the similar problems with memory leaks and ECDSA. But they do
> work,
> if you can live with the memory leaks,for example to sign a certificate
> request
> with ECDSA.


Well this might be an issue to have the code integrated upstream in OpenSSH.
It is a shame that there isn't a clean way to do it. I will try to think of
a better approach.
In the meantime, I'll integrate it as cleanly as possible and submit it as
it is so we can keep a trace of it.


>
>
>
>> Is this a contribution you might be interested in ?
>>
>
> Any OpenSSL code to call PKCS#11 directly and eliminate the need for the
> engine_opensc
> would welcome.
>
>
Sure, the same approach can be used in PKI scenarios to generate a CSR and
sign it in an OpenSSL context.


>
>>
>> Cheers,
>>
>> Thomas Calderon
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>
> --
>
>  Douglas E. Engert  <DEEngert at gmail.com>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>