Current status of PKCS#11 ECDSA support

Mathias Brossard mathias at
Fri Oct 20 16:05:47 AEDT 2017

On Wed, Oct 18, 2017 at 3:13 PM, Roland Bracewell Shoemaker <roland at>

> What is the current status on work to add support for PKCS#11 ECDSA keys?
> I’ve been using a version of the patch that has been sitting around on the
> bug tracker [1] for ~2 years now without much movement and am wondering if
> this is ever going to make it into a release.

Hello. I'm the author of the patch. In addition to some comments in the bug
tracker, I've had several email expressing interest in the patch and/or
reporting success using it.

Is this a case of there being existing issues with that implementation
> without anyone interested in resolving them/pushing forward to get this
> patch merged or are there other extant issues that are preventing this from
> happening?

I think that there is some interest. I'm guessing there is a lack of
bandwidth for maintainers to review it.

As hardware based tokens are gaining popularity (not to mention things like
> the built in secure enclave like chips in many newer devices) along with
> the increase in usage of ECDSA keys this would be a really nice thing to
> have baked into mainline releases instead of having to tell people to go
> merge a random patch and build OpenSSH themselves.

Hey that's my patch you're talking about :). But I do agree with you it
would be nice to have it added.

If there is anything I can do to help push this along let me know!

I'm still interested in improving / fixing the patch to get it included.

I just uploaded a patch that applies cleanly to 7.6p1 and re-tested it with
LibreSSL 2.5.5 and OpenSSL 1.0.2l.

Mathias Brossard

More information about the openssh-unix-dev mailing list