Wanted: smartcard with ECDSA support

[Jakub Jelen]

On 03/31/2015 11:23 AM, Thomas Calderon wrote:
> Hi list,
>
> I have no idea if Damien Miller had the time to work on that.
>
> I have an initial patch to authenticate using PKCS#11 and ECDSA keys.
> This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the
> required interfaces to override the signature function pointer for ECDSA.
> The only limitation is that the OpenSSL API misses some cleanup function
> (finish, for instance), hence I have yet to find a way to properly free the
> PKCS#11 resources.
>
> Is this a contribution you might be interested in ?
Hello list,
sorry for pulling such old thread up. But I recently moved into the 
smartcard
waters and I found the missing functionality of ECDSA keys quite 
unfortunate.
I have access to the PIV Test cards by NIST [1] so I can work on this 
functionality.

As far as I remember, both of the patches hanging around [2] [3] were 
working to
some extent, but in other exposed some non-ideal behavior and were not 
adhering
to the best practices of PKCS#11 [4], which I found quite useful when 
implementing
some other tool communicating over PKCS#11.

But before starting investing time into these improvements, I would like 
to see if there is
some progress in upstream OpenSSH, a way to test (or if the ECDSA cards 
donation
request is still actual blocker) and willingness to accept this feature 
(and possibly other
PKCS#11 related).

[1] http://csrc.nist.gov/groups/SNS/piv/testcards.html
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=2474
[3] https://ambientworks.net/ecdsa-ssh.txt
[4] https://wiki.oasis-open.org/pkcs11/CommonBugs

Regards,

-- 
Jakub Jelen
Security Technologies
Red Hat