-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for SSH authentication #27
Comments
After quick look at the code, it seems that for first error, we would have to implement For 2nd one, we would need to implement I also found https://sourceforge.net/p/gnupg-pkcs11/mailman/message/393565/ and https://sourceforge.net/p/gnupg-pkcs11/mailman/message/393567/. I wonder if anything changed since then. It seems using |
It seems this is optional for functioning.
Once I changed argument for Final patch: From 530880802537664531ef1682c431e41e7ddcb647 Mon Sep 17 00:00:00 2001
From: Mateusz Gozdek <mgozdekof@gmail.com>
Date: Mon, 15 Mar 2021 12:34:49 +0100
Subject: [PATCH] test auth
Signed-off-by: Mateusz Gozdek <mgozdekof@gmail.com>
---
gnupg-pkcs11-scd/command.c | 41 ++++++++++++++++++++++++-------------
gnupg-pkcs11-scd/command.h | 1 +
gnupg-pkcs11-scd/scdaemon.c | 2 +-
3 files changed, 29 insertions(+), 15 deletions(-)
diff --git gnupg-pkcs11-scd/command.c gnupg-pkcs11-scd/command.c
index 331a005..ebc9ffb 100644
--- gnupg-pkcs11-scd/command.c
+++ gnupg-pkcs11-scd/command.c
@@ -52,6 +52,17 @@
#define OPENPGP_ENCR 2
#define OPENPGP_AUTH 3
+typedef enum {
+ INJECT_NONE=0,
+ INJECT_RMD160,
+ INJECT_MD5,
+ INJECT_SHA1,
+ INJECT_SHA224,
+ INJECT_SHA256,
+ INJECT_SHA384,
+ INJECT_SHA512
+} inject;
+
/**
@file
Implementation of assuan commands. Currently, only one card is supported,
@@ -974,8 +985,7 @@ cleanup:
return gpg_error (error);
}
-/** Sign data (set by SETDATA) with certificate id in line. */
-gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
+gpg_error_t _cmd_pksign_type (assuan_context_t ctx, char *line, int typehint, inject injectDefault)
{
static const unsigned char rmd160_prefix[] = /* (1.3.36.3.2.1) */
{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x24, 0x03,
@@ -1013,16 +1023,7 @@ gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
unsigned char *sig = NULL;
size_t sig_len;
char hash[100] = "";
- enum {
- INJECT_NONE,
- INJECT_RMD160,
- INJECT_MD5,
- INJECT_SHA1,
- INJECT_SHA224,
- INJECT_SHA256,
- INJECT_SHA384,
- INJECT_SHA512
- } inject = INJECT_NONE;
+ inject inject;
if (data->data == NULL) {
error = GPG_ERR_INV_DATA;
@@ -1133,7 +1134,7 @@ gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
* unknown hash algorithm;
* gnupg's scdaemon forces to SHA1
*/
- inject = INJECT_SHA1;
+ inject = injectDefault;
}
}
@@ -1197,7 +1198,7 @@ gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
(error = _get_certificate_by_name (
ctx,
line,
- OPENPGP_SIGN,
+ typehint,
&cert_id,
NULL
)) != GPG_ERR_NO_ERROR
@@ -1298,6 +1299,18 @@ cleanup:
return gpg_error (error);
}
+/** Sign data (set by SETDATA) with certificate id in line. */
+gpg_error_t cmd_pksign (assuan_context_t ctx, char *line)
+{
+ return _cmd_pksign_type(ctx, line, OPENPGP_SIGN, INJECT_SHA1);
+}
+
+/** Sign data (set by SETDATA) with certificate id in line. */
+gpg_error_t cmd_pkauth (assuan_context_t ctx, char *line)
+{
+ return _cmd_pksign_type(ctx, line, OPENPGP_AUTH, INJECT_NONE);
+}
+
/** Decrypt data (set by SETDATA) with certificate id in line. */
gpg_error_t cmd_pkdecrypt (assuan_context_t ctx, char *line)
{
diff --git gnupg-pkcs11-scd/command.h gnupg-pkcs11-scd/command.h
index cd17663..7d25798 100644
--- gnupg-pkcs11-scd/command.h
+++ gnupg-pkcs11-scd/command.h
@@ -49,6 +49,7 @@ gpg_error_t cmd_readcert (assuan_context_t ctx, char *line);
gpg_error_t cmd_readkey (assuan_context_t ctx, char *line);
gpg_error_t cmd_setdata (assuan_context_t ctx, char *line);
gpg_error_t cmd_pksign (assuan_context_t ctx, char *line);
+gpg_error_t cmd_pkauth (assuan_context_t ctx, char *line);
gpg_error_t cmd_pkdecrypt (assuan_context_t ctx, char *line);
gpg_error_t cmd_random (assuan_context_t ctx, char *line);
gpg_error_t cmd_checkpin (assuan_context_t ctx, char *line);
diff --git gnupg-pkcs11-scd/scdaemon.c gnupg-pkcs11-scd/scdaemon.c
index 760ed63..6a026f3 100644
--- gnupg-pkcs11-scd/scdaemon.c
+++ gnupg-pkcs11-scd/scdaemon.c
@@ -125,7 +125,7 @@ register_commands (const assuan_context_t ctx)
{ "KEY-DATA", NULL, NULL },
{ "SETDATA", cmd_setdata, NULL },
{ "PKSIGN", cmd_pksign, NULL },
- { "PKAUTH", NULL, NULL },
+ { "PKAUTH", cmd_pkauth, NULL },
{ "PKDECRYPT", cmd_pkdecrypt, NULL },
{ "INPUT", NULL, NULL },
{ "OUTPUT", NULL, NULL },
--
2.30.2
I'm curious if I missed something and if such patch would be accepted. |
Thanks, looks good! Can you please create a proper pull request so I can merge it as-is? Can you please try to drop the typedef and use enum directly? |
Sure, I'll have a look. Thanks! |
and please make the _cmd_pksign_type static. |
This commit adds PKAUTH command support to gnupg-pkcs11-scd, so gpg-agent with "enable-ssh-support" setting defined can act as a SSH Agent when PKCS11 is used as a GPG backend. Auth operation is almost the same as sign operation, except it looks like SSH always sends data with hash algorithm signature appended at the beginning, but the data is of different size than the signature detection code expects, so it always fallback to default behavior, which is to append SHA1 signature. As having 2 different signature prefixes is incorrect, we need to use the different default value from the sign action, which is to not append anything in case of auth operation. Closes alonbl#27 Signed-off-by: Mateusz Gozdek <mgozdekof@gmail.com>
Created #28. |
This commit adds PKAUTH command support to gnupg-pkcs11-scd, so gpg-agent with "enable-ssh-support" setting defined can act as a SSH Agent when PKCS11 is used as a GPG backend. Auth operation is almost the same as sign operation, except it looks like SSH always sends data with hash algorithm signature appended at the beginning, but the data is of different size than the signature detection code expects, so it always fallback to default behavior, which is to append SHA1 signature. As having 2 different signature prefixes is incorrect, we need to use the different default value from the sign action, which is to not append anything in case of auth operation. Closes alonbl#27 Signed-off-by: Mateusz Gozdek <mgozdekof@gmail.com>
This commit adds PKAUTH command support to gnupg-pkcs11-scd, so gpg-agent with "enable-ssh-support" setting defined can act as a SSH Agent when PKCS11 is used as a GPG backend. Auth operation is almost the same as sign operation, except it looks like SSH always sends data with hash algorithm signature appended at the beginning, but the data is of different size than the signature detection code expects, so it always fallback to default behavior, which is to append SHA1 signature. As having 2 different signature prefixes is incorrect, we need to use the different default value from the sign action, which is to not append anything in case of auth operation. Closes alonbl#27 Signed-off-by: Mateusz Gozdek <mgozdekof@gmail.com>
It seems that right now when you add
enable-ssh-support
to~/.gnupg/gpg-agent.conf
and the right keygrip to.gnupg/sshcontrol
, listing SSH keys sort of works:Debug logs:
However, SSH authentication does not work:
Debug logs:
Would it be difficult to get this to work? Do you have some pointer how this could be done?
My motivation was to simplify the setup a bit, to be able to not use
ssh-agent
at all. I was hoping GPG could handle entering PIN and unplugged smart card better thanssh-agent
with PKCS#11.The text was updated successfully, but these errors were encountered: