Bug 2817

Summary: Add support for PKCS#11 URIs (RFC 7512)
Product: Portable OpenSSH Reporter: Jakub Jelen <jjelen>
Component: SmartcardAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: dirkx, djm, dwmw2, egberts, n.mavrogiannopoulos, orion, thomas.jarosch
Priority: P5 Keywords: pkcs11
Version: 7.6p1   
Hardware: Other   
OS: Linux   
Attachments:
Description Flags
PKCS#11 URI (RFC7512) support
none
PKCS#11 URI (RFC7512) support v2 none

Description Jakub Jelen 2018-01-06 01:25:16 AEDT 
Created attachment 3111 [details]
PKCS#11 URI (RFC7512) support

There is a series of patches adding a support for PKCS#11 URIs [1] with testsuite and improving the existing tests to be actually run against a software pkcs11 module.

What is currently done:
 * Print PKCS#11 URIs from ssh-keygen
 * Accept PKCS#11 URIs in -i argument to ssh
 * Allow PKCS#11 URI specification in ssh_config
 * Fallback to p11-kit-proxy
 * PKCS#11 URI support for ssh-add and ssh-agent
  * internal representation is PKCS#11 URI

Currently recognized and used parts of PKCS#11 URI:
 * path (optional)
  * object
  * token
  * id
  * manufacturer
 * query (optional)
  * module-path

This allows us to select the key from smart card or HSM with the same syntax used by other tools working with PKCS#11 devices.

It would be very simple to extend the work to allow specifying various ways for providing PINs, which is part of the RFC.

The commits are reviewable on github [1] or in the attachment.

[1] https://tools.ietf.org/html/rfc7512
[2] https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
Comment 1 Nikos Mavrogiannopoulos 2018-02-06 19:38:06 AEDT 
In my opinion the biggest advantage of this patch set is the ability to be specific on the keys to use from a token/smart card. That is, no longer sends the server each and every key present in the card, but only the one specified by the user.
Comment 2 Jakub Jelen 2018-02-16 02:14:42 AEDT 
Created attachment 3119 [details]
PKCS#11 URI (RFC7512) support v2

I uploaded a new version of the patch, which is removing the PKCS11URI configuration option and instead the URI can be provided to IdentityFile configuration option with prefix "pkcs11:".

The changes to the code are minimal (the largest part is the testing soft-pkcs11 module):

 Makefile.in                       |   24 +-
 configure.ac                      |   37 ++
 readconf.c                        |    5 +-
 regress/Makefile                  |    9 +-
 regress/agent-pkcs11.sh           |   13 +-
 regress/locl.h                    |   79 +++
 regress/pkcs11.sh                 |  285 +++++++++
 regress/soft-pkcs11.c             | 2058 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 regress/unittests/Makefile        |    2 +-
 regress/unittests/pkcs11/Makefile |    9 +
 regress/unittests/pkcs11/tests.c  |  329 ++++++++++
 ssh-add.c                         |   26 +
 ssh-agent.c                       |   99 ++-
 ssh-keygen.c                      |    1 +
 ssh-pkcs11-client.c               |    3 +
 ssh-pkcs11-uri.c                  |  399 ++++++++++++
 ssh-pkcs11-uri.h                  |   41 ++
 ssh-pkcs11.c                      |  266 ++++++--
 ssh-pkcs11.h                      |    5 +
 ssh.c                             |   99 ++-
 ssh_config.5                      |   13 +
 21 files changed, 3699 insertions(+), 103 deletions(-)
Comment 3 Jakub Jelen 2018-03-17 03:25:12 AEDT 
I added some more tests and fixed the functionality of loading and unloading the keys per-uri instead of per-pkcs11-module as it used to be. The patches are available in my the github branch and in copr.
Comment 4 Jakub Jelen 2020-03-09 20:19:34 AEDT 
The updated and rebased change is still available here

https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
https://github.com/Jakuje/openssh-portable/commit/ed3eaf7d
Comment 5 Orion Poplawski 2020-06-18 02:26:12 AEST 
This would be very helpful to us.  We have multiple certificates on our smart cards and are now running into issues where connections fail because of too many authentication failures while trying the other certificates on the card.  Please adopt this or at least comment as to why it isn't acceptable.
Comment 6 Dirk-Willem van Gulik 2020-11-10 22:30:23 AEDT 
Rebased version tested on OSX and FreeBSD. In production without any issues for 3 months. Works very well & is very useful.