Outstanding PKCS#11 issues
Jakub Jelen
jjelen at redhat.com
Tue Feb 27 05:00:19 AEDT 2018
Hello everyone,
as you could have noticed over the years, there are several bugs for
PKCS#11 improvement and integration which are slipping under the radar
for several releases, but the most painful ones are constantly updated
by community to build, work and make our lives better.
I wrote some of the patches, provided feedback to others, or offered
other help here on mailing list, but did not get quite much any
feedback, none of the patches (excluding some one-liners) are not
incorporated, but usually not yet even reviewed or considered.
I believe using PKCS#11 as a store for private keys is a good practice
and making OpenSSH work with it is a must. So again, I offering my help
in this area not limited to the following bugs (according to
complexity and priority):
Bug 2430 - ssh-keygen should allow to login before reading public key
from smart card
Bug 2652 - PKCS11 login skipped if login required and no pin set
Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the
private objects
Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent
Bug 2817 - Add support for PKCS#11 URIs (RFC 7512)
Bug 2472 - Add support to load additional certificates
Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device
Namely, the #2638 one will be a big problem after the release of OpenSC
0.18.0 [1], which is no longer allowing the workflow OpenSSH is using.
Also in the #2817, there is a resurrection of the soft-pkcs11 module in
regress testsuite, which can be later extended to verify also other use
cases.
[1] https://github.com/OpenSC/OpenSC/pull/1256
Thanks,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
More information about the openssh-unix-dev
mailing list