Outstanding PKCS#11 issues

Damien Miller djm at mindrot.org
Tue Feb 27 13:33:45 AEDT 2018


Hi,

Sorry for being slow on these - once I've cleared some of my backlog
and done the requisite remedial PCKS#11 education then I'll try to take
a look at them.

-d

On Mon, 26 Feb 2018, Jakub Jelen wrote:

> Hello everyone,
> 
> as you could have noticed over the years, there are several bugs for
> PKCS#11 improvement and integration which are slipping under the radar
> for several releases, but the most painful ones are constantly updated
> by community to build, work and make our lives better.
> 
> I wrote some of the patches, provided feedback to others, or offered
> other help here on mailing list, but did not get quite much any
> feedback, none of the patches (excluding some one-liners) are not
> incorporated, but usually not yet even reviewed or considered.
> 
> I believe using PKCS#11 as a store for private keys is a good practice
> and making OpenSSH work with it is a must. So again, I offering my help
>  in this area not limited to the following bugs (according to
> complexity and priority):
> 
> Bug 2430 - ssh-keygen should allow to login before reading public key
> from smart card
> Bug 2652 - PKCS11 login skipped if login required and no pin set
> Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the
> private objects
> Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent
> Bug 2817 - Add support for PKCS#11 URIs (RFC 7512)
> Bug 2472 - Add support to load additional certificates
> Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device
> 
> Namely, the #2638 one will be a big problem after the release of OpenSC
> 0.18.0 [1], which is no longer allowing the workflow OpenSSH is using.
> 
> Also in the #2817, there is a resurrection of the soft-pkcs11 module in
> regress testsuite, which can be later extended to verify also other use
> cases.
> 
> [1] https://github.com/OpenSC/OpenSC/pull/1256
> 
> Thanks,
> -- 
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat, Inc.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list