ssh-agent add PKCS#11 support

Alon Bar-Lev alon.barlev at gmail.com
Wed Oct 5 21:18:33 EST 2005


Peter Stuge wrote:
> On Wed, Oct 05, 2005 at 01:14:57AM +0000, Alon Bar-Lev wrote:
> 
>>I can easily make the scard.c, scard-opensc.c and 
>>ssh-agent.c support PKCS#11.
> 
> 
> If you do, may I suggest checking out libp11, also by the OpenSC
> project.
> 
> http://www.opensc.org/libp11/

Hello,

I've seen this lib and I don't think it is flexible enough. 
It handles only one provider at a time, it does not allow to 
select object based on attributes and performs some unneeded 
operations with the token that may lead to incomparability.
It also assume that public keys are stored on token, this is 
incorrect.

I have a different implementation, that minimize the 
requirements from the token, it also support several 
providers so that the user can load all of his provider with 
the same configuration. The user can select objects based on 
slot id, slot name, token label and object id, object label, 
certificate subject name. The best way is for the user to 
select object by token label and certificate subject name 
then he can insert the token to any slot and even renew his 
certificate and the software will continue to work.

Best Regards,
Alon Bar-Lev




More information about the openssh-unix-dev mailing list