Bug 5201 - Consider supporting pkcs#11 modules that only implement crypto
Summary: Consider supporting pkcs#11 modules that only implement crypto
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.7.0
Assignee: Pierre Ossman
Keywords: hean01_tester, relnotes, thomas_tester
Depends on:
Reported: 2014-06-27 15:37 CEST by Aaron Sowry
Modified: 2016-09-23 10:14 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Aaron Sowry cendio 2014-06-27 15:37:43 CEST
Right now we require SHA1_RSA_PKCS; it would be useful to support others when this is not available.
Comment 2 Pierre Ossman cendio 2014-07-02 12:53:26 CEST
We would still require the crypto algorithms that are necessary for SSH (i.e. RSA, and possible ECDSA in the future), so this is about doing the hashing and PKCS#7 stuff in tlclient and just use the PKCS#11 module for the raw crypto.
Comment 3 Pierre Ossman cendio 2014-07-02 12:59:35 CEST
One question is we should support CKM_RSA_X_509, CKM_RSA_PKCS or both. NSS apparently only uses CKM_RSA_PKCS:

Comment 4 Pierre Ossman cendio 2014-07-02 16:26:36 CEST
We need a SHA-1 implementation that we can link into tlclient. NetBSD seems to has one, which should be sufficient licence wise:

Comment 5 Pierre Ossman cendio 2016-06-17 10:14:17 CEST
We will probably need more hashing algorithms in the future, so let's use nettle which we already have in the build system. It is LGPL so there is no problem linking to it.
Comment 9 Pierre Ossman cendio 2016-06-20 10:23:24 CEST
Works fine.

Tester should verify that authentication still works. For the paranoid I've also built a special opensc without SHA1_RSA_PKCS support (~ossman/tmp/opensc-nosha.so).
Comment 10 Thomas Nilefalk cendio 2016-06-23 13:23:09 CEST
Tested that login using smart card still works on MacOSX, ARM and Win64 with one of the new testcard with RSA2048 key.

Note You need to log in before you can comment on or make changes to this bug.