ssh-agent pkcs11 uri to select certificate

Tue Jan 25 02:39:47 AEDT 2022

On 1/14/22 17:02, petrus at gozmail.bzh wrote:
> Hello,
> 
> 
> I have two hardware tokens (Thales/Safenet eToken 5110cc) that both 
> contain certificates for various uses. They obviously use the same 
> driver, libeToken.so (version 10.7.77). I have no issues using one of 
> them either directly (with -I/PKCS11Provider) with ssh or ssh-agent.
> 
> However, I have to keep both tokens connected and I need to add only one 
> specific certificate to ssh-agent. For test purposes both tokens use the 
> same pin code, as with every try if the pin code is different, the one 
> for which it is incorrect will increment the tentative counter on the 
> token thus ending locking it. If the two pin codes are different the 
> selection will be based on available certificates with that pin, so that 
> kinda works until one of the two tokens is locked.
> 
>  From what I've read, p11-kit seems to be the piece of software that was 
> missing to glue various middlewares to 'consumer' software like ssh.
> 
> So, here are my two certificates:
> 
>      $ p11tool --list-all-certs
> pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo 
> 
> pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=ABCDEF1234567890;token=bar 
> 
> 
>  From what I've read, this syntax should be correct:
> 
>      $ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so 
> 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo' 
> 
> 
> Or even
> 
>      $ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so 
> pkcs11:serial=1234567890ABCDEF
> 
> (I'm using ssh-add through p11-kit-proxy.so for now as I've not been 
> able to directly use the pkcs11 uri - not sure if that matters).
> 
> But the pkcs11 uri does not seem to be used and all certificates end up 
> being added to ssh-agent:
> 
>      $ ssh-add -L
>      ssh-rsa AAAAB3<snip> foo
>      ssh-rsa AAAAC5<snip> bar
> 
> Is this because of the use of p11-kit-proxy, or something else I've 
> missed? If there is another method than p11-kit to achieve this I'm also 
> interested!

I implemented support for PKCS#11 URI and it is now in Fedora and RHEL8+ 
for couple of years. Unfortunately, it was not yet accepted and merged 
into the openssh:

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

The patch is a bit outdated so not ready to be merged. The updated one 
is in Fedora if you want to try that out:

https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-pkcs11-uri.patch

Regards,
-- 
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.