| Summary: | [PATCH] Enable key pair generation on a PCKS#11 device | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Ross McIlroy <rmcilroy> | ||||
| Component: | ssh-keygen | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | NEW --- | ||||||
| Severity: | enhancement | CC: | djm, jjelen, markus | ||||
| Priority: | P5 | ||||||
| Version: | -current | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Attachments: |
|
||||||
Markus - can you take a look at this? Using ssh-keygen to generate keys on PKCS#11 device is interesting idea, that I would clearly welcome to avoid using many other tools to generate keys on smart cards. But I don't think referring to this key using external file is a way to go. Can it be done without it? It would simplify the patch by a great deal. Also I don't think that the generated key should have the CKA_DECRYPT attribute set, if it should be used for SSH. Otherwise, the key-generation changes look reasonable. |
Created attachment 2225 [details] Pkcs11 key-pair generation patch This patch enables ssh-keygen to generate an RSA public/private key pair on a PKCS#11 device (such as a TPM). Once the keys have been created on the PKCS#11 device, the public identity file is created as normal, but a new private key format is introduced to signal that the key needs to be loaded from an external device. My plan is to augment this pkcs11 private key identity file format to enable automatic loading of the external key (e.g., without setting PKCS11Provider or using the -I option), but I wanted to run this by people first.