Menu
▾
▴
Re: [Opensc-devel] Understanding of ssh pkcs key provider
|
From: Jakub J. <jj...@re...> - 2016-05-23 14:10:42
|
On 05/23/2016 10:39 AM, Mathias Brossard wrote: > On Mon, May 23, 2016 at 1:11 AM, Jakub Jelen <jj...@re... > <mailto:jj...@re...>> wrote: > > OpenSSH pkcs11 currently does not support EC keys and needs a lot of > changes to support them. There are at least two patches hanging around > openssh mailing lists and bugzillas adding this support to some > extent. > I plan to have a look into this in the months or so to get that > upstream. > > > I'm the author of the one in #2474 > (https://bugzilla.mindrot.org/show_bug.cgi?id=2474), tell me if > there's something I can do to help. The patch is tested with OpenSC > (Yubikey Neo). Yes. I tested your patch. Not that there would be something wrong, but I would like to polish it and make it upstream. I started some comment on this bug, but moved to other tasks so I will not be able to work on this during next month. So far I tested with the NIST PIV Test cars, and I noticed a lot of "C_GetAttributeValue failed:" messages, which is very annoying. Another consideration was using CKA_SIGN flags to test if the card even allows signatures using this key, but there will be probably more things to resolve. Kind regards, -- Jakub Jelen Security Technologies Red Hat |
