Mailing List Archive

[PATCH v2 0/2] Add openssl engine keys with provider upgrade path
I've architected this in a way that looks future proof at least to the
openssl provider transition. What will happen in openssl 3.0.0 is
that providers become active and will accept keys via URI. The
current file mechanisms will still be available but internally it will
become a file URI. To support the provider interface, openssl will
have to accept keys by URI instead of file and may choose to support
the provider serialization API. Note, though that most token and
engine based keys won't support serialization because it's simply not
possible.

The engine mechanism this patch adds is essentially the fledgling URI
mechanism except that in current form, openssh checks for an openable
file. However, the concept of passing the "file" argument of ssh-add
straight to the engine is what becomes a URI in the provider
interface. Once the transition to providers is complete, the engine
code and the iteration over engines can be eliminated because the
provider API will take care of doing all that internally. The only
piece which will survive is the transmission of keys to the agent by
URI.

The way the patch is structured is to first make public an internal
API to convert EVP_PKEY to sslkey. All openssl keys need this type of
conversion so it's useful for engine keys as well and means we don't
need a different sshkey type for engine keys (they key off the
SSHKEY_FLAG_EXT instead).

James

---

James Bottomley (2):
sshkey: expose openssl EVP_PKEY to sshkey conversion routine.
Add support for openssl engine based keys

Makefile.in | 2 +-
authfd.c | 44 ++++++++++++++
authfd.h | 6 ++
ssh-add.c | 36 ++++++++++++
ssh-agent.c | 74 ++++++++++++++++++++++++
ssh-engine.c | 159 +++++++++++++++++++++++++++++++++++++++++++++++++++
ssh-engine.h | 9 +++
sshkey.c | 87 ++++++++++++++++------------
sshkey.h | 5 ++
9 files changed, 384 insertions(+), 38 deletions(-)
create mode 100644 ssh-engine.c
create mode 100644 ssh-engine.h

--
2.26.2

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev