Bugzilla – Attachment 3133 Details for
Bug 2430
ssh-keygen should allow to login before reading public key from smart card
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Similar patch created while getting yubihsm_pkcs11.so to work with openssh
15a8467ad3a303335054b5af15fafd5c5f2ee5f2.patch (text/plain), 6.35 KB, created by
Peter Magnusson
on 2018-03-07 21:20:56 AEDT
(
hide
)
Description:
Similar patch created while getting yubihsm_pkcs11.so to work with openssh
Filename:
MIME Type:
Creator:
Peter Magnusson
Created:
2018-03-07 21:20:56 AEDT
Size:
6.35 KB
patch
obsolete
>commit 15a8467ad3a303335054b5af15fafd5c5f2ee5f2 >Author: blaufish <blaufish@users.noreply.github.com> >Date: Mon Mar 5 18:57:32 2018 +0100 > > ssh-keygen PKCS11: Find CKA_PRIVATE keys by logging in > > pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --login --list-objects > Using slot 0 with a present token (0x0) > Logging in to "YubiHSM". > Please enter User PIN: > Private Key Object; RSA > label: sshrsakey > ID: 1bba > Usage: sign > Public Key Object; RSA 2048 bits > label: sshrsakey > ID: 1bba > Usage: verify > Certificate Object; type = X.509 cert > label: sshrsakey > ID: 1bba > > ./ssh-keygen -D /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so > Enter PIN for 'YubiHSM': > C_GetAttributeValue failed: 18 > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrkLmhqJ0DtSGU+zBBlM0JdkziETKvfwfkU4e9i+WftuuZpNld5N6RzlN7xGflVxYv/J4CigwWKTdGuoTPWgbCrANmYGCvEft+B5oBm6hL09zcHxNOWpjfUTJdWISLZx3pgbbT1Zxt0nNYOgn8GrKjG3+im3RINnzlJp0SjptoDOfV90CZNCSQsmXFnWFoPmtQvL+LLJgJUbJbyMUmtJGPijADeSNH07x2ge+zxjzyshC6x3nBZ63BIBUl4y7KlvwU+hs/J2oLT6ZyRUFu6TprSwML6Dxe0DAFr/0hp1LNuKomCYxmdcuV/BHGjScs5BjLmK3z7ABVzpLZBB/gtnGD > > cat ~/.ssh/authorized_keys > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrkLmhqJ0DtSGU+zBBlM0JdkziETKvfwfkU4e9i+WftuuZpNld5N6RzlN7xGflVxYv/J4CigwWKTdGuoTPWgbCrANmYGCvEft+B5oBm6hL09zcHxNOWpjfUTJdWISLZx3pgbbT1Zxt0nNYOgn8GrKjG3+im3RINnzlJp0SjptoDOfV90CZNCSQsmXFnWFoPmtQvL+LLJgJUbJbyMUmtJGPijADeSNH07x2ge+zxjzyshC6x3nBZ63BIBUl4y7KlvwU+hs/J2oLT6ZyRUFu6TprSwML6Dxe0DAFr/0hp1LNuKomCYxmdcuV/BHGjScs5BjLmK3z7ABVzpLZBB/gtnGD > > ./ssh -I /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so XXXX@127.0.0.1 > Enter PIN for 'YubiHSM': > C_GetAttributeValue failed: 18 > *** log in successfull *** > > Note: > * yubihsm debug seems to indicate the certificate was imported without CKA_SUBJECT, causing the C_GetAttributeValue failure. > * ssh-pkcs11.c spews C_GetAttributeValue warnings if any ECDSA key is in the HSM. > >diff --git a/ssh-keygen.c b/ssh-keygen.c >index d80930ee..f2b9027e 100644 >--- a/ssh-keygen.c >+++ b/ssh-keygen.c >@@ -774,7 +774,7 @@ do_download(struct passwd *pw) > fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; > rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; > >- pkcs11_init(0); >+ pkcs11_init(1); > nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); > if (nkeys <= 0) > fatal("cannot read public key from pkcs11"); >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >index 65a7b589..50b809ff 100644 >--- a/ssh-pkcs11.c >+++ b/ssh-pkcs11.c >@@ -216,6 +216,46 @@ pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr, > return (ret); > } > >+ >+static int >+pkcs11_login(struct pkcs11_provider *p, struct pkcs11_slotinfo *si) >+{ >+ char *pin = NULL, prompt[1024]; >+ CK_RV rv; >+ CK_FUNCTION_LIST *f; >+ f = p->function_list; >+ if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { >+ if (!pkcs11_interactive) { >+ error("need pin entry%s", (si->token.flags & >+ CKF_PROTECTED_AUTHENTICATION_PATH) ? >+ " on reader keypad" : ""); >+ return (-1); >+ } >+ if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >+ verbose("Deferring PIN entry to reader keypad."); >+ else { >+ snprintf(prompt, sizeof(prompt), >+ "Enter PIN for '%s': ", si->token.label); >+ pin = read_passphrase(prompt, RP_ALLOW_EOF); >+ if (pin == NULL) >+ return (-1); /* bail out */ >+ } >+ rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, >+ (pin != NULL) ? strlen(pin) : 0); >+ if (pin != NULL) { >+ explicit_bzero(pin, strlen(pin)); >+ free(pin); >+ } >+ if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >+ error("C_Login failed: %lu", rv); >+ return (-1); >+ } >+ si->logged_in = 1; >+ } >+ return 0; >+} >+ >+ > /* openssl callback doing the actual signing operation */ > static int > pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, >@@ -237,7 +277,6 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > {CKA_ID, NULL, 0}, > {CKA_SIGN, NULL, sizeof(true_val) } > }; >- char *pin = NULL, prompt[1024]; > int rval = -1; > > key_filter[0].pValue = &private_key_class; >@@ -253,33 +292,8 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > } > f = k11->provider->function_list; > si = &k11->provider->slotinfo[k11->slotidx]; >- if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { >- if (!pkcs11_interactive) { >- error("need pin entry%s", (si->token.flags & >- CKF_PROTECTED_AUTHENTICATION_PATH) ? >- " on reader keypad" : ""); >- return (-1); >- } >- if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >- verbose("Deferring PIN entry to reader keypad."); >- else { >- snprintf(prompt, sizeof(prompt), >- "Enter PIN for '%s': ", si->token.label); >- pin = read_passphrase(prompt, RP_ALLOW_EOF); >- if (pin == NULL) >- return (-1); /* bail out */ >- } >- rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, >- (pin != NULL) ? strlen(pin) : 0); >- if (pin != NULL) { >- explicit_bzero(pin, strlen(pin)); >- free(pin); >- } >- if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >- error("C_Login failed: %lu", rv); >- return (-1); >- } >- si->logged_in = 1; >+ if (pkcs11_login(k11->provider, si)) { >+ return (-1); > } > key_filter[1].pValue = k11->keyid; > key_filter[1].ulValueLen = k11->keyid_len; >@@ -422,14 +436,29 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, > { CKA_SUBJECT, NULL, 0 }, > { CKA_VALUE, NULL, 0 } > }; >+ int keys; >+ int certs; >+ int i; > pubkey_filter[0].pValue = &pubkey_class; > cert_filter[0].pValue = &cert_class; > >- if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs, >- keysp, nkeys) < 0 || >- pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs, >- keysp, nkeys) < 0) >- return (-1); >+ for (i = 0; i < 2; i++) { >+ /* i==0: legacy behavior try to find keys without login */ >+ /* i==1: try again, logged in */ >+ keys = pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, >+ pubkey_attribs, keysp, nkeys); >+ certs = pkcs11_fetch_keys_filter(p, slotidx, cert_filter, >+ cert_attribs, keysp, nkeys) < 0; >+ if (keys < 0 || certs < 0) >+ return (-1); >+ if (keys > 0 && certs > 0) >+ break; >+ if (i == 0) { >+ if (pkcs11_login(p, &p->slotinfo[slotidx])) >+ return (-1); >+ } >+ } >+ > return (0); > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3133">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2430
:
3130
| 3133 |
3279