Wanted: smartcard with ECDSA support

Douglas E Engert deengert at gmail.com
Wed Apr 1 03:47:35 AEDT 2015 


On 3/31/2015 11:02 AM, Thomas Calderon wrote:
>
>
> On Tue, Mar 31, 2015 at 3:10 PM, Douglas E Engert <deengert at gmail.com <mailto:deengert at gmail.com>> wrote:
>
>
>
>     On 3/31/2015 4:23 AM, Thomas Calderon wrote:
>
>         Hi list,
>
>         I have no idea if Damien Miller had the time to work on that.
>
>         I have an initial patch to authenticate using PKCS#11 and ECDSA keys.
>         This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the
>         required interfaces to override the signature function pointer for ECDSA.
>         The only limitation is that the OpenSSL API misses some cleanup function
>         (finish, for instance), hence I have yet to find a way to properly free the
>         PKCS#11 resources.
>
>
>     OpenSC, engine_opensc and libp11 versions on github can use OpenSSL-1.0.2 with ECDSA.
>     They have the similar problems with memory leaks and ECDSA. But they do work,
>     if you can live with the memory leaks,for example to sign a certificate request
>     with ECDSA.
>
>
> Well this might be an issue to have the code integrated upstream in OpenSSH.
> It is a shame that there isn't a clean way to do it. I will try to think of a better approach.
> In the meantime, I'll integrate it as cleanly as possible and submit it as it is so we can keep a trace of it.
>
>
>
>
>         Is this a contribution you might be interested in ?
>
>
>     Any OpenSSL code to call PKCS#11 directly and eliminate the need for the engine_opensc
>     would welcome.
>
>
> Sure, the same approach can be used in PKI scenarios to generate a CSR and sign it in an OpenSSL context.

I am on the OpenSC, OpenSSL and OpenSSH lists. When I responded to you I was thinking the message was from the OpenSSL list,
thus the comments about PKCS#11 and OpenSSL. Sorry about the confusion.

You are right in that the OpenSSL does miss some cleanup for ECC.See OpenSSL bug report on ECC METHOD code committed and comment on no init and finish:
http://rt.openssl.org/Ticket/Display.html?id=2459#txn-50343

>
>
>
>         Cheers,
>
>         Thomas Calderon
>         _________________________________________________
>         openssh-unix-dev mailing list
>         openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at mindrot.org>
>         https://lists.mindrot.org/__mailman/listinfo/openssh-unix-__dev <https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
>
>
>     --
>
>       Douglas E. Engert  <DEEngert at gmail.com <mailto:DEEngert at gmail.com>>
>
>     _________________________________________________
>     openssh-unix-dev mailing list
>     openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at mindrot.org>
>     https://lists.mindrot.org/__mailman/listinfo/openssh-unix-__dev <https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
>
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the openssh-unix-dev mailing list