Why still no PKCS#11 ECC key support in OpenSSH ?

Jakub Jelen jjelen at redhat.com
Tue Aug 14 17:57:20 AEST 2018 

On Tue, 2018-08-14 at 06:02 +1000, Damien Miller wrote:
> On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote:
> 
> > Lack of time on the Open Source projects is understandable, and not
> > uncommon.
> > 
> > However, PKCS11 has been in the codebase practically forever - the
> > ECC
> > patches that I saw did not alter the API or such. It is especially
> > non-invasive when digital signature is concerned.
> > 
> > Considering how long those patches have been sitting in the queue,
> > and
> > the continued interest among the users - perhaps you can prioritize
> > the integration?
> 
> If someone can recommend hardware and some instructions on how to
> set it up that will only improve the changes of this happening
> sooner.

The pkcs11 tests are even part of the testsuite [1], but comically
enough, they are never run. Mostly because the software pkcs11 module
is not in repository. The fix for this test was proposed as part of
PKCS#11 URI (unfortunately limited to RSA) [2] long time ago alongside
with several others offers to help in this direction, but without any
followups for years in various email threads and bugs.

As already proposed by others, you really do not need to have hardware
to implement and test things. There are several software tokens that
are very suitable for testing. I would recommend you softhsm [3]. For
setting up softhsm token, I use the following script, that I wrote
initially for OpenSC and now is simplified and used for libcacard [4],
which takes care of configuration, keys and certificates creation and
loading them into the software card. Using ECC keys is quite much a
change of RSA:1024 string to EC:secp256r1 or other curve.

As already said, the yubikey 4 is probably best choice if you really
need real hardware. For setting a yubikey, you need yubico-piv-tool
which has its features and functinoality explained in manual page [5]. 
Later on, this works with OpenSC pkcs11 module.

[1] 
https://github.com/openssh/openssh-portable/blob/master/regress/agent-pkcs11.sh
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=2817
[3] https://github.com/opendnssec/SoftHSMv2/
[4] 
https://gitlab.freedesktop.org/spice/libcacard/blob/master/tests/setup-softhsm2.sh
[5] 
https://developers.yubico.com/yubico-piv-tool/Manuals/yubico-piv-tool.1.html

-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list