[RFC 0/2] add engine based keys

James Bottomley James.Bottomley at HansenPartnership.com
Thu Oct 26 18:41:17 AEDT 2017


Engine keys are private key files which are only understood by openssl
external engines.  The problem is they can't be loaded with the usual
openssl methods, they have to be loaded via ENGINE_load_private_key().
 Because they're files, they fit well into openssh pub/private file
structure, so they're not very appropriately handled by the pkcs11
interface because it assumes the private keys are already present in
some token (so there's no way to pass in a file name).

The candidate I have for this is openssh private keys based in the
trusted platform module (either tpm 1.2 or tpm 2.0 ... we have engines
for both).

This is an example of my tpm2 based private/public ssh-key:

jejb at jarvis:~> ssh-add -o tpm2 /home/jejb/.ssh/id_rsa
Enter engine key passphrase:
jejb at jarvis:~> ssh-add -l
2048 SHA256:ZAv7jrI2bB2VBgk5jHA1g/fe4rVX1GqyCdPwF0ELU9k jejb at mulgrave (RSA)
jejb at jarvis:~> cat .ssh/id_rsa
-----BEGIN TSS2 KEY BLOB-----
MIICAAYFZ4EFCgKgAwEBAKEHAgUAgQAAAaKCARwEggEYARYAAQALAAIEQAAAABAA
EAgAAAAAAAEAp0rC+B6BvAl6ySgNggwBSYvkcvBFGIC5bs1/s0NtYkoZ5QnpafHY
7qHvqvvell9lRk58UDyRgGFFzSFvq0/YN4PJoG4ywMWHnOABzoIq/y5RAQgER6OE
lrnvS9on9J5epy7tT7nQkCCjO+Oz3849UeFX1m6DFOJuir5GhYD968CZGfemjRyO
LLEQ4dxF75Q/74seg2cdE+1BA6Q94nHOmcgNpJsprRgoNfpwFkU1iJrJ8oURUyCb
1cPsS+4kehgaCCTQ/Nkqcz9d2feaMLi5ukBj1qMOV4KdxS4KIfins1O6l2Yde1oe
QDUW4AjWSQ3OHwwYVzvqDWZmlPG3NAFvEQSByADGACDZDFvuD6MUiE9vmkRZ2wYt
kZVJPBp817eKWmDnkII71QAQ5oxhXbJERo+p5KeQWlf/CCtxK8NRbK/FKAwg0/Uu
HoSDBT+gQ8S62pLD+qBDyXO4eFj0moxCX+shqlvo34rig2WF+Y/5NNhZg+2COdXt
45b/MO9jUPsXjCDPUm1f1NaVztK45/Wddk4m2lZ9TCDU7MOK140pcB5Ewricw61b
st+nmmUtgIPUxxWc3uMcVATjJP2EWrFnmdRgbKXcVT8olHa+
-----END TSS2 KEY BLOB-----


Where openssl_tpm2_engine is available here:

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engin
e.git/

---

James Bottomley (2):
  Add support for openssl engine based keys
  engine: add "any" engine mechanism and make it the default

 Makefile.in  |   4 +-
 authfd.c     |  45 +++++++++++++++
 authfd.h     |   7 +++
 ssh-add.c    |  41 +++++++++++--
 ssh-agent.c  |  82 ++++++++++++++++++++++++++
 ssh-engine.c | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 ssh-engine.h |  10 ++++
 7 files changed, 367 insertions(+), 7 deletions(-)
 create mode 100644 ssh-engine.c
 create mode 100644 ssh-engine.h



More information about the openssh-unix-dev mailing list