Bug 2817 - Add support for PKCS#11 URIs (RFC 7512)
Summary: Add support for PKCS#11 URIs (RFC 7512)
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Smartcard (show other bugs)
Version: 7.6p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords: pkcs11
Depends on:
Blocks:
 
Reported: 2018-01-06 01:25 AEDT by Jakub Jelen
Modified: 2020-11-10 22:30 AEDT (History)
7 users (show)

See Also:


Attachments
PKCS#11 URI (RFC7512) support (145.14 KB, patch)
2018-01-06 01:25 AEDT, Jakub Jelen
no flags Details | Diff
PKCS#11 URI (RFC7512) support v2 (125.89 KB, patch)
2018-02-16 02:14 AEDT, Jakub Jelen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Jelen 2018-01-06 01:25:16 AEDT
Created attachment 3111 [details]
PKCS#11 URI (RFC7512) support

There is a series of patches adding a support for PKCS#11 URIs [1] with testsuite and improving the existing tests to be actually run against a software pkcs11 module.

What is currently done:
 * Print PKCS#11 URIs from ssh-keygen
 * Accept PKCS#11 URIs in -i argument to ssh
 * Allow PKCS#11 URI specification in ssh_config
 * Fallback to p11-kit-proxy
 * PKCS#11 URI support for ssh-add and ssh-agent
  * internal representation is PKCS#11 URI

Currently recognized and used parts of PKCS#11 URI:
 * path (optional)
  * object
  * token
  * id
  * manufacturer
 * query (optional)
  * module-path

This allows us to select the key from smart card or HSM with the same syntax used by other tools working with PKCS#11 devices.

It would be very simple to extend the work to allow specifying various ways for providing PINs, which is part of the RFC.

The commits are reviewable on github [1] or in the attachment.

[1] https://tools.ietf.org/html/rfc7512
[2] https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
Comment 1 Nikos Mavrogiannopoulos 2018-02-06 19:38:06 AEDT
In my opinion the biggest advantage of this patch set is the ability to be specific on the keys to use from a token/smart card. That is, no longer sends the server each and every key present in the card, but only the one specified by the user.
Comment 2 Jakub Jelen 2018-02-16 02:14:42 AEDT
Created attachment 3119 [details]
PKCS#11 URI (RFC7512) support v2

I uploaded a new version of the patch, which is removing the PKCS11URI configuration option and instead the URI can be provided to IdentityFile configuration option with prefix "pkcs11:".

The changes to the code are minimal (the largest part is the testing soft-pkcs11 module):

 Makefile.in                       |   24 +-
 configure.ac                      |   37 ++
 readconf.c                        |    5 +-
 regress/Makefile                  |    9 +-
 regress/agent-pkcs11.sh           |   13 +-
 regress/locl.h                    |   79 +++
 regress/pkcs11.sh                 |  285 +++++++++
 regress/soft-pkcs11.c             | 2058 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 regress/unittests/Makefile        |    2 +-
 regress/unittests/pkcs11/Makefile |    9 +
 regress/unittests/pkcs11/tests.c  |  329 ++++++++++
 ssh-add.c                         |   26 +
 ssh-agent.c                       |   99 ++-
 ssh-keygen.c                      |    1 +
 ssh-pkcs11-client.c               |    3 +
 ssh-pkcs11-uri.c                  |  399 ++++++++++++
 ssh-pkcs11-uri.h                  |   41 ++
 ssh-pkcs11.c                      |  266 ++++++--
 ssh-pkcs11.h                      |    5 +
 ssh.c                             |   99 ++-
 ssh_config.5                      |   13 +
 21 files changed, 3699 insertions(+), 103 deletions(-)
Comment 3 Jakub Jelen 2018-03-17 03:25:12 AEDT
I added some more tests and fixed the functionality of loading and unloading the keys per-uri instead of per-pkcs11-module as it used to be. The patches are available in my the github branch and in copr.
Comment 4 Jakub Jelen 2020-03-09 20:19:34 AEDT
The updated and rebased change is still available here

https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
https://github.com/Jakuje/openssh-portable/commit/ed3eaf7d
Comment 5 Orion Poplawski 2020-06-18 02:26:12 AEST
This would be very helpful to us.  We have multiple certificates on our smart cards and are now running into issues where connections fail because of too many authentication failures while trying the other certificates on the card.  Please adopt this or at least comment as to why it isn't acceptable.
Comment 6 Dirk-Willem van Gulik 2020-11-10 22:30:23 AEDT
Rebased version tested on OSX and FreeBSD. In production without any issues for 3 months. Works very well & is very useful.