Bug 2075 - [PATCH] Enable key pair generation on a PCKS#11 device
Summary: [PATCH] Enable key pair generation on a PCKS#11 device
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: -current
Hardware: All All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-07 06:01 AEDT by Ross McIlroy
Modified: 2018-02-23 02:06 AEDT (History)
3 users (show)

See Also:

Attachments
Pkcs11 key-pair generation patch (28.79 KB, patch)
2013-03-07 06:01 AEDT, Ross McIlroy 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ross McIlroy 2013-03-07 06:01:29 AEDT 
Created attachment 2225 [details]
Pkcs11 key-pair generation patch

This patch enables ssh-keygen to generate an RSA public/private key pair on a PKCS#11 device (such as a TPM).  Once the keys have been created on the PKCS#11 device, the public identity file is created as normal, but a new private key format is introduced to signal that the key needs to be loaded from an external device.  

My plan is to augment this pkcs11 private key identity file format to enable automatic loading of the external key (e.g., without setting PKCS11Provider or using the -I option), but I wanted to run this by people first.
Comment 1 Damien Miller 2013-07-12 11:08:18 AEST 
Markus - can you take a look at this?
Comment 2 Jakub Jelen 2018-02-23 02:06:34 AEDT 
Using ssh-keygen to generate keys on PKCS#11 device is interesting idea, that I would clearly welcome to avoid using many other tools to generate keys on smart cards.

But I don't think referring to this key using external file is a way to go. Can it be done without it? It would simplify the patch by a great deal.

Also I don't think that the generated key should have the CKA_DECRYPT attribute set, if it should be used for SSH.

Otherwise, the key-generation changes look reasonable.