New issue
Advanced search Search tips

Issue 920616 link

Starred by 2 users

Issue metadata

Status: Unconfirmed
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

nassh: ed25519 key on authentication slot of smartcard not supported

Reported by joshuaf...@gmail.com, Jan 10

Issue description

UserAgent: Mozilla/5.0 (X11; CrOS x86_64 11210.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3593.0 Safari/537.36
Platform: 11210.0.0 (Official Build) dev-channel cave

Steps to reproduce the problem:
1. Load a ed25519 key on the authentication slot of a smartcard (Nitrokey Start)
2. Start Secure Shell App with --ssh-agent=gsc under ssh relay options and allow said app in Smart Card Connector app

What is the expected behavior?
Authenticate successfully on remote ssh host.

What went wrong?
After doing some debugging, I see that in the nassh.agent.backends.GSC.SmartCardManager.prototype.fetchPublicKeyBlob() method, the publicKeyTemplate takes the following value:

nassh.agent.backends.GSC.DataObject {tagClass: 1, tagClassDescription: "application", isConstructed: true, tagNumber: 73, tag: 18815, …}
children: Array(1)
0: nassh.agent.backends.GSC.DataObject
isConstructed: false
tag: 134
tagClass: 2
tagClassDescription: "context-specific"
tagDescription: "<unimplemented tag: 134>"
tagNumber: 6
value: Uint8Array(32) [xxx]
valueLength: 32
__proto__: Object
length: 1
__proto__: Array(0)
isConstructed: true
tag: 18815
tagClass: 1
tagClassDescription: "application"
tagDescription: "<unimplemented tag: 18815>"
tagNumber: 73
valueLength: 34
__proto__: Object

Background: I am on Chrome OS, and trying out the Secure Shell app together with the Smart Card Connector app with a Nitrokey Start. The key on the authentication slot is a ed25519 one, which was saved to the card after executing

$ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 3 22 ed25519" /bye

per [1].

I am able to authenticate properly on a regular desktop with gpg --enable-ssh-support. However on Chrome OS, I followed the instructions on [2] with `--ssh-agent=gsc`, and even with -vvv in ssh options, could not figure out why my (public) key was not being advertised by Secure Shell.

WebStore page: Secure Shell App

Did this work before? N/A 

Chrome version: 72.0.3593.0  Channel: n/a
OS Version: 11210.0.0
Flash Version:
 
Hi, I intended to file the bug under the Component 	Platform>Apps>Default>Hterm.

And the references in my issue are:

[1] https://www.nitrokey.com/news/2017/nitrokey-start-supports-elliptic-curves-ecc
[2] https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/hardware-keys.md
Components: OS>Systems>Network Platform>Apps>Default>Hterm
Cc: fabian.h...@gmail.com
Components: -OS>Systems>Network -Platform>Apps
Summary: nassh: ed25519 key on authentication slot of smartcard not supported (was: ed25519 key on authentication slot of smartcard not supported)
Thank you for the detailed error report. 

The smart card support in Secure Shell is custom-built and thus does not automatically have all the features of gpg. Support for ECC keys is not implemented yet as it is a rather new feature and requires OpenPGP cards version 3.0 and up.

I will look into implementing at least the common curves, but will first need to acquire a compatible smart card.

Sign in to add a comment