Mailing List Archive: [Bug 3613] Unable to sign using certificates and PKCS#11

[Bug 3613] Unable to sign using certificates and PKCS#11

Sep 11, 2023, 7:19 PM

Post #1 of 4 (137 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3613

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org

--- Comment #1 from Damien Miller <djm@mindrot.org> ---
Created attachment 3730
--> https://bugzilla.mindrot.org/attachment.cgi?id=3730&action=edit
Attempt to lookup plain private key in agent

I think this should fix it, but I'm unable to test ATM.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3613] Unable to sign using certificates and PKCS#11 [ In reply to ]

bugzilla-daemon at mindrot

Sep 11, 2023, 7:20 PM

Post #2 of 4 (137 views)

Permalink

https://bugzilla.mindrot.org/show_bug.cgi?id=3613

--- Comment #2 from Damien Miller <djm@mindrot.org> ---
Another way to fix it would be to allow adding p11 keys to the agent
while specifying a certificate to graft to them.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3613] Unable to sign using certificates and PKCS#11 [ In reply to ]

bugzilla-daemon at mindrot

Sep 21, 2023, 5:51 AM

Post #3 of 4 (129 views)

Permalink

https://bugzilla.mindrot.org/show_bug.cgi?id=3613

--- Comment #3 from aim@orbit.online ---
Created attachment 3734
--> https://bugzilla.mindrot.org/attachment.cgi?id=3734&action=edit
Self-contained testscript for cert signing via HSM

First of all thank you for the quick response and a potential fix! And
second of all my apologies on dragging my feet to get this tested!

OK. So it still fails with "process_sign_request2: RSA-CERT key not
found". However, I'm 50/50 on whether I'm using ssh-keygen correctly.
It's a... rather large tool :-)

I have attached a testing script that applies your patch and then tests
everything automatically using SoftHSMv2. It's self-contained and
cleans up after itself. So you should be able to just run it (if you
have docker installed).

Do note that I'm applying the patch to and testing with 9.0p1, which is
the latest version available on Ubuntu. The patch applies cleanly, so I
don't think that that's the issue.

p.s.: Even though the script is a bit quick & dirty I hope this is
usable as a template for an eventual regression test :-)

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3613] Unable to sign using certificates and PKCS#11 [ In reply to ]

bugzilla-daemon at mindrot

Sep 21, 2023, 6:06 AM

Post #4 of 4 (129 views)

Permalink

https://bugzilla.mindrot.org/show_bug.cgi?id=3613

aim@orbit.online changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |aim@orbit.online

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs