https://bugzilla.mindrot.org/show_bug.cgi?id=3613
Bug ID: 3613
Summary: Unable to sign using certificates and PKCS#11
Product: Portable OpenSSH
Version: 8.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs@mindrot.org
Reporter: aim@orbit.online
From my own experimentation and from looking at the code and some of
the reported bugs here I believe it is currently not possible to sign
arbitrary data with ssh-keygen and an SSH certificate (e.g. for git
commit signing, verified using @cert-authority).
I have tried specifying the certificate when invoking ssh-keygen with
```
$ ssh-add -e /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
$ ssh-keygen -Y sign -f ~/.ssh/id_rsa-cert.pub -n file test.txt
debug2: hash_file: hashed 3401 bytes
debug3: hash_file: final hash:
1239125ebf618d51bfe64e65dce15530a7a3c9c230438b537564261473c050cd915185a8c19dbb85f40e4faf4367a9779fc54564bcc8de0824e42004c3e3777f
Couldn't sign message (signer): agent refused operation
Signing config/git/config failed: agent refused operation
```
though the `-f` option seems to be ignored and the `ssh-agent` looks
for an RSA-CERT when only RSA keys are loaded:
```
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
debug1: process_add
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0:
manufacturerID <PKCS#11 Kit> cryptokiVersion 2.40 libraryDescription
<PKCS#11 Kit Proxy Module> libraryVersion 1.1
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0:
label <YubiKey PIV #19258332> manufacturerID <Yubico (www.yubico.com)>
model <YubiKey YK5> serial <19258332> flags 0x40d
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug1: have 2 keys
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee71a0 ptr 0x55878dee5e90 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee68c0 ptr 0x55878dee6290 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee7640 ptr 0x55878dee5f20 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug3: identity_permitted: entering: key RSA comment "Public key for
PIV Authentication", 0 socket bindings, 0 constraints
debug3: identity_permitted: entering: key RSA comment "Public key for
PIV Attestation", 0 socket bindings, 0 constraints
debug2: process_request_identities: replying with 2 allowed of 2
available keys
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
process_sign_request2: RSA-CERT key not found
```
It is also not possible to get `ssh-agent` to load the certificate
with:
```
$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
~/.ssh/id_rsa-cert.pub
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
```
Where the `ssh-agent` looks like this:
```
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
debug1: process_add
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0:
manufacturerID <PKCS#11 Kit> cryptokiVersion 2.40 libraryDescription
<PKCS#11 Kit Proxy Module> libraryVersion 1.1
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0:
label <YubiKey PIV #19258332> manufacturerID <Yubico (www.yubico.com)>
model <YubiKey YK5> serial <19258332> flags 0x40d
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug1: have 2 keys
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee9c50 ptr 0x55878dee87d0 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee83b0 ptr 0x55878dee8c90 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878deea160 ptr 0x55878dee8cc0 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
```
```
A workaround would be to somehow support the `-O CertificateFile`
option in `ssh-keygen` like `ssh` does.
A more robust way to solve this would of course be to support loading
certificate files into the ssh-agent.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3613
Summary: Unable to sign using certificates and PKCS#11
Product: Portable OpenSSH
Version: 8.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs@mindrot.org
Reporter: aim@orbit.online
From my own experimentation and from looking at the code and some of
the reported bugs here I believe it is currently not possible to sign
arbitrary data with ssh-keygen and an SSH certificate (e.g. for git
commit signing, verified using @cert-authority).
I have tried specifying the certificate when invoking ssh-keygen with
```
$ ssh-add -e /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
$ ssh-keygen -Y sign -f ~/.ssh/id_rsa-cert.pub -n file test.txt
debug2: hash_file: hashed 3401 bytes
debug3: hash_file: final hash:
1239125ebf618d51bfe64e65dce15530a7a3c9c230438b537564261473c050cd915185a8c19dbb85f40e4faf4367a9779fc54564bcc8de0824e42004c3e3777f
Couldn't sign message (signer): agent refused operation
Signing config/git/config failed: agent refused operation
```
though the `-f` option seems to be ignored and the `ssh-agent` looks
for an RSA-CERT when only RSA keys are loaded:
```
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
debug1: process_add
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0:
manufacturerID <PKCS#11 Kit> cryptokiVersion 2.40 libraryDescription
<PKCS#11 Kit Proxy Module> libraryVersion 1.1
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0:
label <YubiKey PIV #19258332> manufacturerID <Yubico (www.yubico.com)>
model <YubiKey YK5> serial <19258332> flags 0x40d
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug1: have 2 keys
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee71a0 ptr 0x55878dee5e90 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee68c0 ptr 0x55878dee6290 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee7640 ptr 0x55878dee5f20 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug3: identity_permitted: entering: key RSA comment "Public key for
PIV Authentication", 0 socket bindings, 0 constraints
debug3: identity_permitted: entering: key RSA comment "Public key for
PIV Attestation", 0 socket bindings, 0 constraints
debug2: process_request_identities: replying with 2 allowed of 2
available keys
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
process_sign_request2: RSA-CERT key not found
```
It is also not possible to get `ssh-agent` to load the certificate
with:
```
$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
~/.ssh/id_rsa-cert.pub
Enter passphrase for PKCS#11:
Card added: /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
```
Where the `ssh-agent` looks like this:
```
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
debug1: process_add
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0:
manufacturerID <PKCS#11 Kit> cryptokiVersion 2.40 libraryDescription
<PKCS#11 Kit Proxy Module> libraryVersion 1.1
debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0:
label <YubiKey PIV #19258332> manufacturerID <Yubico (www.yubico.com)>
model <YubiKey YK5> serial <19258332> flags 0x40d
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug1: have 2 keys
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee9c50 ptr 0x55878dee87d0 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:54W0/9rkv84M3pwsFa7qvWkCeQGbkWlwSkvk1fcsrV0
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878dee83b0 ptr 0x55878dee8c90 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
debug2: pkcs11_fetch_certs: provider
/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 slot 0: RSA
SHA256:vRdQ4M0pBHf4Cb4pqxFGVTeJmqRTzRusvXxu7vRrjNk
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55878deea160 ptr 0x55878dee8cc0 idx 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3
```
```
A workaround would be to somehow support the `-O CertificateFile`
option in `ssh-keygen` like `ssh` does.
A more robust way to solve this would of course be to support loading
certificate files into the ssh-agent.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs