Menu
▾
▴
Re: [Opensc-devel] Understanding of ssh pkcs key provider
|
From: Mathias B. <ma...@br...> - 2016-05-23 21:53:47
|
On Mon, May 23, 2016 at 12:52 PM, Douglas E Engert <dee...@gm...> wrote: > > On 5/23/2016 9:10 AM, Jakub Jelen wrote: > > On 05/23/2016 10:39 AM, Mathias Brossard wrote: > >> On Mon, May 23, 2016 at 1:11 AM, Jakub Jelen <jj...@re... > >> <mailto:jj...@re...>> wrote: > >> > >> OpenSSH pkcs11 currently does not support EC keys and needs a lot of > >> changes to support them. There are at least two patches hanging > around > >> openssh mailing lists and bugzillas adding this support to some > >> extent. > >> I plan to have a look into this in the months or so to get that > >> upstream. > >> > >> > >> I'm the author of the one in #2474 > >> (https://bugzilla.mindrot.org/show_bug.cgi?id=2474), tell me if > >> there's something I can do to help. The patch is tested with OpenSC > >> (Yubikey Neo). > > Yes. I tested your patch. Not that there would be something wrong, but I > > would like to polish it and make it upstream. I started some comment on > > this bug, but moved to other tasks so I will not be able to work on this > > during next month. > > Keep in mind that OpenSSL-1.1.0 changes the EC structures that were used > in 1.0.2. > in before 1.1.0, there were ECDSA_METHOD and ECDH_METHOD. With 1.1.0 > there is only EC_KEY_METHOD with with multiple routines. > True. I worked on it a little bit, but wasn't sure if updating my patch before OpenSSL 1.1 is out was worth it. Hopefully with rc5 will be the last time they change the APIs we need. The OpenSC libp11 now has the opensc_engine built in and can run with > OpenSSL versions 0.9.8 to 1.1.0. > I don't think OpenSSH would accept a patch to make it use libp11: too much changes and license. Sincerely, -- Mathias Brossard |
