Outstanding PKCS#11 issues
Damien Miller
djm at mindrot.org
Tue Feb 27 13:33:45 AEDT 2018
Hi,
Sorry for being slow on these - once I've cleared some of my backlog
and done the requisite remedial PCKS#11 education then I'll try to take
a look at them.
-d
On Mon, 26 Feb 2018, Jakub Jelen wrote:
> Hello everyone,
>
> as you could have noticed over the years, there are several bugs for
> PKCS#11 improvement and integration which are slipping under the radar
> for several releases, but the most painful ones are constantly updated
> by community to build, work and make our lives better.
>
> I wrote some of the patches, provided feedback to others, or offered
> other help here on mailing list, but did not get quite much any
> feedback, none of the patches (excluding some one-liners) are not
> incorporated, but usually not yet even reviewed or considered.
>
> I believe using PKCS#11 as a store for private keys is a good practice
> and making OpenSSH work with it is a must. So again, I offering my help
> in this area not limited to the following bugs (according to
> complexity and priority):
>
> Bug 2430 - ssh-keygen should allow to login before reading public key
> from smart card
> Bug 2652 - PKCS11 login skipped if login required and no pin set
> Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the
> private objects
> Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent
> Bug 2817 - Add support for PKCS#11 URIs (RFC 7512)
> Bug 2472 - Add support to load additional certificates
> Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device
>
> Namely, the #2638 one will be a big problem after the release of OpenSC
> 0.18.0 [1], which is no longer allowing the workflow OpenSSH is using.
>
> Also in the #2817, there is a resurrection of the soft-pkcs11 module in
> regress testsuite, which can be later extended to verify also other use
> cases.
>
> [1] https://github.com/OpenSC/OpenSC/pull/1256
>
> Thanks,
> --
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat, Inc.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list