[PATCH 0/1] Add support for RFC7512 PKCS#11 URIs

James Bottomley James.Bottomley at HansenPartnership.com
Thu Jun 11 04:15:47 AEST 2020

Once engine keys are supported, adding PKCS#11 URI support becomes
easy because the libp11 engine already supports them.  For openssh,
all that has to happen is that openssh must not assume the URI passed
in to ssh-add is a file which can be opened.  When the transition to
openssl providers is done, PKCS#11 will have its own separate
provider, but the URI will be the same, so this entire scheme will
survive the transition even though the underlying implementation will
change slightly.

This is how it works: I've got two tokens set up in p11-kit, which is
the PKCS#11 provider on linux.  I can see this by using the gnutls
p11tool, which is already p11-kit integrated:

> p11tool --list-token-urls

My tokens are single key tokens, but for multiple key tokens, I'd have
to specify the key by id or object inside the token, but since I don't
I can do:

> ssh-add 'pkcs11:token=id_rsa_new'
Enter engine key passphrase:
Engine Identity added: pkcs11:token=id_rsa_new

Using the shortest URI that uniquely identifies the key (I've named my
tokens to be unique, if you don't you often get a generic token name
and you'd have to use other distinguishing data like the serial).  Now
ssh-add shows this token added to the agent by URI:

> ssh-add -l
2048 SHA256:6q8CFWO4m3Ky99h+Mp9b6KEBTdobxUZQGzd0Sgxilpg pkcs11:token=id_rsa_new (RSA)

This makes quite a neat way of handling tokens on a modern Linux
system without the user having to worry about provider shared objects.


James Bottomley (1):
  Support PKCS#11 URI keys vi libp11

 ssh-add.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)


More information about the openssh-unix-dev mailing list