'[Bug 2474] Enabling ECDSA in PKCS#11 support for ssh-agent'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssh-bugs
Subject:    [Bug 2474] Enabling ECDSA in PKCS#11 support for ssh-agent
From:       bugzilla-daemon () bugzilla ! mindrot ! org
Date:       2018-02-16 16:35:23
Message-ID: bug-2474-705-kHwjEGMjJN () https ! bugzilla ! mindrot ! org/
[Download RAW message or body]

https://bugzilla.mindrot.org/show_bug.cgi?id=2474

Jakub Jelen <jjelen@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen@redhat.com

--- Comment #21 from Jakub Jelen <jjelen@redhat.com> ---
Created attachment 3122
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3122&action=edit
load ECDSA public key from certificates

I was trying to build it against OpenSSL 1.1.0 and hit several issues
with the eighth iteration patch:

 * I would say that the OpenSSL version and functions detection step
should happen during the configure phase, rather than during build on
top of each file using ECDSA keys.

 * OpenSSL 1.1.0 obsoletes most of the ECDSA_* structures and functions
in favor of generic EC_KEY*. The OpenSSL 1.1.0 method structure is
called EC_KEY_METHOD. Doing this in compatible manner will be pain.

 * The functionality of pulling the public key from X.509 certificate
is completely missing. 

In the attached patch, there is a snippet to load ECDSA public keys
from certificates as my small contribution. Feel free to include it in
your patch.

I somehow solved the OpenSSL 1.1.0 compatibility, but probably for the
price of breaking backward compatibility with OpenSSL 1.0.x or
LibreSSL.

I put together some modifications to the original patch and built it in
copr for Fedora if somebody is interested and would like to try:

https://copr.fedorainfracloud.org/coprs/jjelen/openssh-pkcs11/

So far my testing looks fine, keys on my yubikey are recognized and I
can authenticate using them successfully.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[prev in list] [next in list] [prev in thread] [next in thread] 