Naomaru Itoi wrote:
>
> Hello,
>
> I have been talking with Markus Friedl
> <[EMAIL PROTECTED]> in the OpenSSH developers
> group about possible smartcard integration to OpenSSH. That is, to
> store an RSA key pair on a smartcard and carry out RSA operation
> there.
We have done something similar, in the Globus project, and demonstrated
the use of Smartcards at Super Computing 98, in December 1998.
We defined sc_RSA_eay_private_encrypt sc_RSA_eay_private_decrypt
which use PKCS#11 to talk to the smartcard. We effect generate a new method:
854 rsa = RSA_new();
855 /*
856 * set to use our method for this key.
857 * This will use the smart card for this key
858 * But to do this requires us to copy the RSA method, and
859 * replace two routines. This is done this way to avoid
860 * changes to the SSLeay, and since these routines are not
861 * exported in the Win32 DLL.
862 */
863
864 nmeth = (RSA_METHOD *)malloc(sizeof(RSA_METHOD));
865 if (!nmeth) {
866 return 1; /* DEE need to fix */
867 }
868 ometh = rsa->meth;
869 nmeth->name = ometh->name;
870 nmeth->rsa_pub_enc = ometh->rsa_pub_enc;
871 nmeth->rsa_pub_dec = ometh->rsa_pub_dec;
872 nmeth->rsa_priv_enc = sc_RSA_eay_private_encrypt;
873 nmeth->rsa_priv_dec = sc_RSA_eay_private_decrypt;
874 nmeth->rsa_mod_exp = ometh->rsa_mod_exp;
875 nmeth->bn_mod_exp = ometh->bn_mod_exp;
876 nmeth->init = ometh->init;
877 nmeth->finish = ometh->finish;
878 nmeth->flags = ometh->flags;
879 nmeth->app_data = ometh->app_data;
880
881 rsa->meth = nmeth;
The routines are using PKCS#11 and need two handles used
by PKCS#11. These are then stored:
888 RSA_set_ex_data(rsa,SC_RSA_EX_DATA_INDEX_SESSION,(char *) hSession);
889 RSA_set_ex_data(rsa,SC_RSA_EX_DATA_INDEX_OBJECT, (char *) hPrivKey);
The modulus and exponent are also retrieve from the smart card,
and stored in the RSA structure at this time.
The sc_RSA_eay_private_encrypt in effect calls these PKCS#11 routines:
ck_status = (*(pFunctionList->C_SignInit))(hSession, pMech, hObject);
ck_status = (*(pFunctionList->C_Sign))(hSession, from, flen, to, &ulsiglen);
and the decrypt is similar.
This code can be found in the Globus source in the
Security/gssapi_ssleay/sclutils.c routine See http://www.globus.org
for more information about Globus and how to get the source.
> He came up with an idea of integrating smartcards into further
> down to OpenSSL, instead of into OpenSSH. This way, not only OpenSSH,
> but also other applications that rely on OpenSSL for RSA operations,
> can take advantage of smartcards' security features. At the bottom is
> what I try to do in more details.
We also have modifications to SSH-1.2.27 to use the Globus GSI
which can use smartcards via the above method. The SecureCRT
product can use these mods as well.
>
> So here I have two questions. First, would you like this kind of
> addition to OpenSSL? Second, if yes, which code base would you like
> me to start from? This,
>
> 2086131 Sep 24 17:46:22 2000 openssl-0.9.6.tar.gz [LATEST]
>
> or one of the snapshots?
>
> Thank you very much,
>
> --
> Concentration .. Naomaru Itoi
> http://www.citi.umich.edu
> http://www-personal.engin.umich.edu/~itoi
>
> - Create a RSA_METHOD entry for RSA in smartcard.
> static RSA_METHOD rsa_pkcs1_eay_smartcard_meth={
> "Eric Young's PKCS#1 RSA, smartcard integrated",
> RSA_eay_public_encrypt_sc,
> NULL,
> NULL,
> RSA_eay_private_decrypt_sc,
> NULL,
> BN_mod_exp_mont,
> RSA_eay_init_sc,
> RSA_eay_finish_sc,
> 0,
> NULL,
> };
>
> - Write RSA_eay_public_encrypt_sc, RSA_eay_private_decrypt_sc,
> RSA_eay_init_sc, and RSA_eay_finish_sc.
>
> - In rsa_lib.c, write RSA_set_smartcard_method() which sets this method
> to *rsa.
>
> - Modify OpenSSH to call RSA_set_smartcard_method() when a key is in a
> smartcard.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
