Bug 2429 - ssh-keygen ignores keys that have CKA_ID == 0
Summary: ssh-keygen ignores keys that have CKA_ID == 0
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Smartcard (show other bugs)
Version: 6.9p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_7_0
  Show dependency treegraph
 
Reported: 2015-07-16 00:29 AEST by Jakub Jelen
Modified: 2016-08-02 10:40 AEST (History)
1 user (show)

See Also:

Attachments
Do not require to return ID from token (1.24 KB, text/plain)
2015-07-16 00:29 AEST, Jakub Jelen 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Jelen 2015-07-16 00:29:24 AEST 
Created attachment 2670 [details]
Do not require to return ID from token

Based on our investigation of Smart Cart usability with openSSH we found several minor problems that were filled in our red hat bugzilla [1]. The another is problem again with softHSM. It is returning empty ID, which is not handled by keygen correctly.

The length check was added based on the bug #1773. It is fine to skip certificates that have empty values. But requiring non-empty ID is not preferred way because:
 * the ID is not used anywhere in ssh-keygen
 * some tokens do not provide ID

The example is again softHSM2 token, which returns ID length of zero and in current ssh-keygen is silently ignored.
This token has also the need to login, before even public key can be accessed (not rare example), but it will be described in other report, since it will require more changes.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1241873
Comment 1 Damien Miller 2015-07-17 11:59:39 AEST 
FWIW PKCS#11 does allow CKA_ID to be empty, so we should support this
Comment 2 Damien Miller 2015-07-18 18:02:57 AEST 
applied - thanks!
Comment 3 Damien Miller 2016-08-02 10:40:46 AEST 
Close all resolved bugs after 7.3p1 release