Support for SSH authentication #27
Comments
|
After quick look at the code, it seems that for first error, we would have to implement For 2nd one, we would need to implement I also found https://sourceforge.net/p/gnupg-pkcs11/mailman/message/393565/ and https://sourceforge.net/p/gnupg-pkcs11/mailman/message/393567/. I wonder if anything changed since then. It seems using |
It seems this is optional for functioning.
Once I changed argument for Final patch: From 530880802537664531ef1682c431e41e7ddcb647 Mon Sep 17 00:00:00 2001
From: Mateusz Gozdek <mgozdekof@gmail.com>
Date: Mon, 15 Mar 2021 12:34:49 +0100
Subject: [PATCH] test auth
Signed-off-by: Mateusz Gozdek <mgozdekof@gmail.com>
---
gnupg-pkcs11-scd/command.c | 41 ++++++++++++++++++++++++-------------
gnupg-pkcs11-scd/command.h | 1 +
gnupg-pkcs11-scd/scdaemon.c | 2 +-
3 files changed, 29 insertions(+), 15 deletions(-)
diff --git gnupg-pkcs11-scd/command.c gnupg-pkcs11-scd/command.c
index 331a005..ebc9ffb 100644
--- gnupg-pkcs11-scd/command.c
+++ gnupg-pkcs11-scd/command.c
@@ -52,6 +52,17 @@
#define OPENPGP_ENCR 2
#define OPENPGP_AUTH 3
+typedef enum {
+ INJECT_NONE=0,
+ INJECT_RMD160,
+ INJECT_MD5,
+ INJECT_SHA1,
+ INJECT_SHA224,
+ INJECT_SHA256,
+ INJECT_SHA384,
+ INJECT_SHA512
+} inject;
+
/**
@file
Implementation of assuan commands. Currently, only one card is supported,
@@ -974,8 +985,7 @@ cleanup:
return gpg_error (error);
}
-/** Sign data (set by SETDATA) with certificate id in line. */
-gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
+gpg_error_t _cmd_pksign_type (assuan_context_t ctx, char *line, int typehint, inject injectDefault)
{
static const unsigned char rmd160_prefix[] = /* (1.3.36.3.2.1) */
{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x24, 0x03,
@@ -1013,16 +1023,7 @@ gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
unsigned char *sig = NULL;
size_t sig_len;
char hash[100] = "";
- enum {
- INJECT_NONE,
- INJECT_RMD160,
- INJECT_MD5,
- INJECT_SHA1,
- INJECT_SHA224,
- INJECT_SHA256,
- INJECT_SHA384,
- INJECT_SHA512
- } inject = INJECT_NONE;
+ inject inject;
if (data->data == NULL) {
error = GPG_ERR_INV_DATA;
@@ -1133,7 +1134,7 @@ gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
* unknown hash algorithm;
* gnupg's scdaemon forces to SHA1
*/
- inject = INJECT_SHA1;
+ inject = injectDefault;
}
}
@@ -1197,7 +1198,7 @@ gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
(error = _get_certificate_by_name (
ctx,
line,
- OPENPGP_SIGN,
+ typehint,
&cert_id,
NULL
)) != GPG_ERR_NO_ERROR
@@ -1298,6 +1299,18 @@ cleanup:
return gpg_error (error);
}
+/** Sign data (set by SETDATA) with certificate id in line. */
+gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
+{
+ return _cmd_pksign_type(ctx, line, OPENPGP_SIGN, INJECT_SHA1);
+}
+
+/** Sign data (set by SETDATA) with certificate id in line. */
+gpg_error_t cmd_pkauth (assuan_context_t ctx, char *line)
+{
+ return _cmd_pksign_type(ctx, line, OPENPGP_AUTH, INJECT_NONE);
+}
+
/** Decrypt data (set by SETDATA) with certificate id in line. */
gpg_error_t cmd_pkdecrypt (assuan_context_t ctx, char *line)
{
diff --git gnupg-pkcs11-scd/command.h gnupg-pkcs11-scd/command.h
index cd17663..7d25798 100644
--- gnupg-pkcs11-scd/command.h
+++ gnupg-pkcs11-scd/command.h
@@ -49,6 +49,7 @@ gpg_error_t cmd_readcert (assuan_context_t ctx, char *line);
gpg_error_t cmd_readkey (assuan_context_t ctx, char *line);
gpg_error_t cmd_setdata (assuan_context_t ctx, char *line);
gpg_error_t cmd_pksign (assuan_context_t ctx, char *line);
+gpg_error_t cmd_pkauth (assuan_context_t ctx, char *line);
gpg_error_t cmd_pkdecrypt (assuan_context_t ctx, char *line);
gpg_error_t cmd_random (assuan_context_t ctx, char *line);
gpg_error_t cmd_checkpin (assuan_context_t ctx, char *line);
diff --git gnupg-pkcs11-scd/scdaemon.c gnupg-pkcs11-scd/scdaemon.c
index 760ed63..6a026f3 100644
--- gnupg-pkcs11-scd/scdaemon.c
+++ gnupg-pkcs11-scd/scdaemon.c
@@ -125,7 +125,7 @@ register_commands (const assuan_context_t ctx)
{ "KEY-DATA", NULL, NULL },
{ "SETDATA", cmd_setdata, NULL },
{ "PKSIGN", cmd_pksign, NULL },
- { "PKAUTH", NULL, NULL },
+ { "PKAUTH", cmd_pkauth, NULL },
{ "PKDECRYPT", cmd_pkdecrypt, NULL },
{ "INPUT", NULL, NULL },
{ "OUTPUT", NULL, NULL },
--
2.30.2
I'm curious if I missed something and if such patch would be accepted. |
|
Thanks, looks good! Can you please create a proper pull request so I can merge it as-is? Can you please try to drop the typedef and use enum directly? |
|
Sure, I'll have a look. Thanks! |
|
and please make the _cmd_pksign_type static. |
invidian
added a commit
to invidian/gnupg-pkcs11-scd
that referenced
this issue
Mar 19, 2021
This commit adds PKAUTH command support to gnupg-pkcs11-scd, so gpg-agent with "enable-ssh-support" setting defined can act as a SSH Agent when PKCS11 is used as a GPG backend. Auth operation is almost the same as sign operation, except it looks like SSH always sends data with hash algorithm signature appended at the beginning, but the data is of different size than the signature detection code expects, so it always fallback to default behavior, which is to append SHA1 signature. As having 2 different signature prefixes is incorrect, we need to use the different default value from the sign action, which is to not append anything in case of auth operation. Closes alonbl#27 Signed-off-by: Mateusz Gozdek <mgozdekof@gmail.com>
|
Created #28. |
invidian
added a commit
to invidian/gnupg-pkcs11-scd
that referenced
this issue
Mar 19, 2021
This commit adds PKAUTH command support to gnupg-pkcs11-scd, so gpg-agent with "enable-ssh-support" setting defined can act as a SSH Agent when PKCS11 is used as a GPG backend. Auth operation is almost the same as sign operation, except it looks like SSH always sends data with hash algorithm signature appended at the beginning, but the data is of different size than the signature detection code expects, so it always fallback to default behavior, which is to append SHA1 signature. As having 2 different signature prefixes is incorrect, we need to use the different default value from the sign action, which is to not append anything in case of auth operation. Closes alonbl#27 Signed-off-by: Mateusz Gozdek <mgozdekof@gmail.com>
invidian
added a commit
to invidian/gnupg-pkcs11-scd
that referenced
this issue
Mar 19, 2021
This commit adds PKAUTH command support to gnupg-pkcs11-scd, so gpg-agent with "enable-ssh-support" setting defined can act as a SSH Agent when PKCS11 is used as a GPG backend. Auth operation is almost the same as sign operation, except it looks like SSH always sends data with hash algorithm signature appended at the beginning, but the data is of different size than the signature detection code expects, so it always fallback to default behavior, which is to append SHA1 signature. As having 2 different signature prefixes is incorrect, we need to use the different default value from the sign action, which is to not append anything in case of auth operation. Closes alonbl#27 Signed-off-by: Mateusz Gozdek <mgozdekof@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It seems that right now when you add
enable-ssh-supportto~/.gnupg/gpg-agent.confand the right keygrip to.gnupg/sshcontrol, listing SSH keys sort of works:Debug logs:
However, SSH authentication does not work:
Debug logs:
Would it be difficult to get this to work? Do you have some pointer how this could be done?
My motivation was to simplify the setup a bit, to be able to not use
ssh-agentat all. I was hoping GPG could handle entering PIN and unplugged smart card better thanssh-agentwith PKCS#11.The text was updated successfully, but these errors were encountered: