Outstanding PKCS#11 issues

Jakub Jelen jjelen at redhat.com
Fri Mar 2 21:26:02 AEDT 2018 

On Tue, 2018-02-27 at 13:33 +1100, Damien Miller wrote:
> Hi,
> 
> Sorry for being slow on these - once I've cleared some of my backlog
> and done the requisite remedial PCKS#11 education then I'll try to
> take
> a look at them.

Thank you for the answer. Please, let me know if there will be some
clarification, more help, reviews or testing needed.

Jakub

> 
> -d
> 
> On Mon, 26 Feb 2018, Jakub Jelen wrote:
> 
> > Hello everyone,
> > 
> > as you could have noticed over the years, there are several bugs
> > for
> > PKCS#11 improvement and integration which are slipping under the
> > radar
> > for several releases, but the most painful ones are constantly
> > updated
> > by community to build, work and make our lives better.
> > 
> > I wrote some of the patches, provided feedback to others, or
> > offered
> > other help here on mailing list, but did not get quite much any
> > feedback, none of the patches (excluding some one-liners) are not
> > incorporated, but usually not yet even reviewed or considered.
> > 
> > I believe using PKCS#11 as a store for private keys is a good
> > practice
> > and making OpenSSH work with it is a must. So again, I offering my
> > help
> >  in this area not limited to the following bugs (according to
> > complexity and priority):
> > 
> > Bug 2430 - ssh-keygen should allow to login before reading public
> > key
> > from smart card
> > Bug 2652 - PKCS11 login skipped if login required and no pin set
> > Bug 2638 - Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the
> > private objects
> > Bug 2474 - Enabling ECDSA in PKCS#11 support for ssh-agent
> > Bug 2817 - Add support for PKCS#11 URIs (RFC 7512)
> > Bug 2472 - Add support to load additional certificates
> > Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device
> > 
> > Namely, the #2638 one will be a big problem after the release of
> > OpenSC
> > 0.18.0 [1], which is no longer allowing the workflow OpenSSH is
> > using.
> > 
> > Also in the #2817, there is a resurrection of the soft-pkcs11
> > module in
> > regress testsuite, which can be later extended to verify also other
> > use
> > cases.
> > 
> > [1] https://github.com/OpenSC/OpenSC/pull/1256
> > 
> > Thanks,
> > -- 
> > Jakub Jelen
> > Software Engineer
> > Security Technologies
> > Red Hat, Inc.
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list