Wanted: smartcard with ECDSA support

Douglas E Engert deengert at gmail.com
Wed Apr 1 12:54:11 AEDT 2015



On 3/31/2015 6:14 PM, Damien Miller wrote:
> On Tue, 31 Mar 2015, Thomas Calderon wrote:
>
>> Hi list,
>>
>> I have no idea if Damien Miller had the time to work on that.
>>
>> I have an initial patch to authenticate using PKCS#11 and ECDSA keys.
>> This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the
>> required interfaces to override the signature function pointer for ECDSA.
>> The only limitation is that the OpenSSL API misses some cleanup function
>> (finish, for instance), hence I have yet to find a way to properly free the
>> PKCS#11 resources.
>>
>> Is this a contribution you might be interested in ?
>
> There's another ECDSA-for-PKCS#11 patch floating around too, but yes.
>
> I never found ECDSA-capable smartcards. Donations of a couple are
> still welcome.

(Ask Yubico and Smartcard-HSM as they sell the cards in small numbers,
and the user can configure them.)


Newer NIST PIV cards,(But not in the field yet) Oberthur and GemAlto among others.

Yubico NEO with PIV applet,

   https://developers.yubico.com/yubico-piv-tool/YubiKey_NEO_PIV_introduction.html

Smartcard-HSM:

http://www.smartcard-hsm.com/2014/08/22/using-smartcard-hsm-with-ecc-and-opensc.html

myeid has some support, check the web.

All of the above are supported by OpenSC's ECDSA. (The PIV cards can also do ECDH.)

>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> .
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>



More information about the openssh-unix-dev mailing list