OpenSSH PKCS#11 interface does not support ECC.

Bug #1665695 reported by Evgeny Khorkin on 2017-02-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Undecided
Unassigned

Bug Description

OpenSSH client doesn't support Eliptics Curve keys on PKCS11 smartcard

ssh-keygen -v -D /usr/lib/libeTPkcs11.so
debug1: manufacturerID <SafeNet, Inc.> cryptokiVersion 2.20 libraryDescription <SafeNet eToken PKCS#11> libraryVersion 9.1
debug1: label <Evgeny Khorkin> manufacturerID <SafeNet, Inc.> model <eToken> serial <> flags 0x60d
C_GetAttributeValue failed: 18
debug1: X509_get_pubkey failed or no rsa
debug1: X509_get_pubkey failed or no rsa
debug1: X509_get_pubkey failed or no rsa
no keys
cannot read public key from pkcs11

pkcs11-tool --module /usr/lib/libeTPkcs11.so -O
...
Public Key Object; EC EC_POINT 256 bits
  EC_POINT: 04410474c5423bd0aa44b7825b3e79cd839e06736b18466b131d0884dbf8d946fbdc7f3297e73b998acf56550c303dc972a4dec51b9a3b746d3fe9fb4a44bd84b080fc
  EC_PARAMS: 06082a8648ce3d030107
  label: TestECCpair
  Usage: encrypt, verify, wrap

There is upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2474
Suggested patch: https://bugzilla.mindrot.org/attachment.cgi?id=2728

release: Ubuntu 16.04.2 LTS
openssh version: 7.2p2-4ubuntu2.1

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers