pkcs15-tool: added support for reading NIST ssh keys #1233
Conversation
src/tools/pkcs15-tool.c
Outdated
| {NULL, {{-1}}, 0}, | ||
| }; | ||
| char alg[20]; | ||
| unsigned char buf[4+30+4+9+4+256]; |
There was a problem hiding this comment.
I would write there either "big enough" number as for the RSA section or add there some comment why specially these numbers. Otherwise the code becomes it is very hard to maintain.
There was a problem hiding this comment.
Ok, what about:
#define ITEM_SIZE 4
#define ALG_NAME 30
#define CURVE_NAME 9
#define KEY_DATA 256
..
unsigned char buf[3*ITEM_SIZE+ALG_NAME+CURVE_NAME+KEY_DATA];
???
There was a problem hiding this comment.
Well ... you already propose that 30 chars is enough to fit ecdsa-sha2-nistp521 (19 chars), so I would rather put there something like this:
/* Large enough to fit the following:
* 3 x 4B item length headers
* max 20B algorithm name, 9B curve name, max 256B key data */
unsigned char buf[300];
Using constants makes it clearer, but significantly longer.
There was a problem hiding this comment.
Thanks for hint, pull request is already updated as your suggested.
'pkcs15-tool --read-ssh-key' is now able to read NIST ECC keys from card. Only 256, 384 and 521 field lengths are supported (same as allowed in ssh-keygen -t ecdsa). Issue OpenSC#803 is partialy fixed by this patch. Openssh PKCS11 interface patches for ECC are now available, please check https://bugzilla.mindrot.org/show_bug.cgi?id=2474
|
@popovec could you keep us updated, when ECDSA support is merged into OpenSSH? We'll keep the PR hanging till then. |
|
Ok, I will let you know when openssh support for ECSDA is integrated into official openssh release. |
|
thanks |
|
Fedora 28 shipped with ECDSA keys support in OpenSSH and it would be good to have also this in next OpenSC release. |
|
In response to #1233 (comment) The OpenSC pkcs11 can read ECC keys and do ECDSA and ECDH operations on some cards. |
I don't think so. The Regardless I just verified again with my yubikey, that this builds fine and the output matches the one from ssh-keygen for all the keys I have. |
|
Status update, please? |
|
To be honest, the task of converting a pem public key (readable from pkcs11) to the SSH format should not necessarily be part of any of the OpenSC tools. Convenient - yes. Blocking or must have feature? Not really. |
|
Even when openssh never gets support for ECC keys over pkcs#11 interface, pkcs15-tool should have support for listing any keys in ssh format. Or, to get consistent behavior, there is another option - support for listing only RSA keys in ssh format should be removed from pkcs15-tool. |
|
Tru. A "pem2ssh" probably exists? |
|
It is possible to do |
|
Sorry, I just noticed it was already suggested above. Anyway, if it is still wanted, we can include this feature after release of 0.18.0. |
|
Why after release? I am not saying this is a blocking issue, but it is something good to have for consistency as already mentioned by @popovec. It is always good to have more ways and tools of doing the same thing. The OpenSSH upstream does not ship the ecdsa in pkcs11 yet, but there are several people using it already. If OpenSSH will release in a three months with it, the next OpenSC release will be until next year? It really has to take a year to get such simple and isolated change into OpenSC release? |
|
@frankmorgner I see it is already after the release. Is anything else blocking merging this PR? |
'pkcs15-tool --read-ssh-key' is now able to read NIST ECC keys from card.
Only 256, 384 and 521 field lengths are supported (same as allowed in
ssh-keygen -t ecdsa). Issue #803 is partialy fixed by this patch.
Openssh PKCS11 interface patches for ECC are now available, please check
https://bugzilla.mindrot.org/show_bug.cgi?id=2474
Checklist