Created attachment 3111 [details] PKCS#11 URI (RFC7512) support There is a series of patches adding a support for PKCS#11 URIs [1] with testsuite and improving the existing tests to be actually run against a software pkcs11 module. What is currently done: * Print PKCS#11 URIs from ssh-keygen * Accept PKCS#11 URIs in -i argument to ssh * Allow PKCS#11 URI specification in ssh_config * Fallback to p11-kit-proxy * PKCS#11 URI support for ssh-add and ssh-agent * internal representation is PKCS#11 URI Currently recognized and used parts of PKCS#11 URI: * path (optional) * object * token * id * manufacturer * query (optional) * module-path This allows us to select the key from smart card or HSM with the same syntax used by other tools working with PKCS#11 devices. It would be very simple to extend the work to allow specifying various ways for providing PINs, which is part of the RFC. The commits are reviewable on github [1] or in the attachment. [1] https://tools.ietf.org/html/rfc7512 [2] https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
In my opinion the biggest advantage of this patch set is the ability to be specific on the keys to use from a token/smart card. That is, no longer sends the server each and every key present in the card, but only the one specified by the user.
Created attachment 3119 [details] PKCS#11 URI (RFC7512) support v2 I uploaded a new version of the patch, which is removing the PKCS11URI configuration option and instead the URI can be provided to IdentityFile configuration option with prefix "pkcs11:". The changes to the code are minimal (the largest part is the testing soft-pkcs11 module): Makefile.in | 24 +- configure.ac | 37 ++ readconf.c | 5 +- regress/Makefile | 9 +- regress/agent-pkcs11.sh | 13 +- regress/locl.h | 79 +++ regress/pkcs11.sh | 285 +++++++++ regress/soft-pkcs11.c | 2058 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ regress/unittests/Makefile | 2 +- regress/unittests/pkcs11/Makefile | 9 + regress/unittests/pkcs11/tests.c | 329 ++++++++++ ssh-add.c | 26 + ssh-agent.c | 99 ++- ssh-keygen.c | 1 + ssh-pkcs11-client.c | 3 + ssh-pkcs11-uri.c | 399 ++++++++++++ ssh-pkcs11-uri.h | 41 ++ ssh-pkcs11.c | 266 ++++++-- ssh-pkcs11.h | 5 + ssh.c | 99 ++- ssh_config.5 | 13 + 21 files changed, 3699 insertions(+), 103 deletions(-)
I added some more tests and fixed the functionality of loading and unloading the keys per-uri instead of per-pkcs11-module as it used to be. The patches are available in my the github branch and in copr.
The updated and rebased change is still available here https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11 https://github.com/Jakuje/openssh-portable/commit/ed3eaf7d
This would be very helpful to us. We have multiple certificates on our smart cards and are now running into issues where connections fail because of too many authentication failures while trying the other certificates on the card. Please adopt this or at least comment as to why it isn't acceptable.
Rebased version tested on OSX and FreeBSD. In production without any issues for 3 months. Works very well & is very useful.