Bug 5201 - Consider supporting pkcs#11 modules that only implement crypto
: Consider supporting pkcs#11 modules that only implement crypto
: ThinLinc
Smart card
: trunk
: PC Unknown
: P2 Normal
: 4.7.0
Assigned To:
  Show dependency treegraph
Reported: 2014-06-27 15:37 by
Modified: 2016-09-23 10:14 (History)
Acceptance Criteria:



You need to log in before you can comment on or make changes to this bug.

Description From cendio 2014-06-27 15:37:43
Right now we require SHA1_RSA_PKCS; it would be useful to support others when
this is not available.
------- Comment #2 From cendio 2014-07-02 12:53:26 -------
We would still require the crypto algorithms that are necessary for SSH (i.e.
RSA, and possible ECDSA in the future), so this is about doing the hashing and
PKCS#7 stuff in tlclient and just use the PKCS#11 module for the raw crypto.
------- Comment #3 From cendio 2014-07-02 12:59:35 -------
One question is we should support CKM_RSA_X_509, CKM_RSA_PKCS or both. NSS
apparently only uses CKM_RSA_PKCS:

------- Comment #4 From cendio 2014-07-02 16:26:36 -------
We need a SHA-1 implementation that we can link into tlclient. NetBSD seems to
has one, which should be sufficient licence wise:

------- Comment #5 From cendio 2016-06-17 10:14:17 -------
We will probably need more hashing algorithms in the future, so let's use
nettle which we already have in the build system. It is LGPL so there is no
problem linking to it.
------- Comment #9 From cendio 2016-06-20 10:23:24 -------
Works fine.

Tester should verify that authentication still works. For the paranoid I've
also built a special opensc without SHA1_RSA_PKCS support
------- Comment #10 From cendio 2016-06-23 13:23:09 -------
Tested that login using smart card still works on MacOSX, ARM and Win64 with
one of the new testcard with RSA2048 key.