ECDSA support for GnuPG's ssh-agent.

Werner Koch wk at
Wed Dec 12 18:53:35 CET 2012


master has now support for ECDSA keys for the ssh-agent protocol.



commit 649b31c
Author: Werner Koch <wk at>
Date:   Wed Dec 12 18:47:21 2012 +0100

    ssh: Support ECDSA keys.
    * agent/command-ssh.c (SPEC_FLAG_IS_ECDSA): New.
    (struct ssh_key_type_spec): Add fields CURVE_NAME and HASH_ALGO.
    (ssh_key_types): Add types ecdsa-sha2-nistp{256,384,521}.
    (ssh_signature_encoder_t): Add arg spec and adjust all callers.
    (ssh_signature_encoder_ecdsa): New.
    (sexp_key_construct, sexp_key_extract, ssh_receive_key)
    (ssh_convert_key_to_blob): Support ecdsa.
    (ssh_identifier_from_curve_name): New.
    (ssh_send_key_public): Retrieve and pass the curve_name.
    (key_secret_to_public): Ditto.
    (data_sign): Add arg SPEC and change callers to pass it.
    (ssh_handler_sign_request): Get the hash algo from SPEC.
    * common/ssh-utils.c (get_fingerprint): Support ecdsa.
    * agent/protect.c (protect_info): Add flag ECC_HACK.
    (agent_protect): Allow the use of the "curve" parameter.
    * agent/t-protect.c (test_agent_protect): Add a test case for ecdsa.
    * agent/command-ssh.c (ssh_key_grip): Print a better error code.
    The 3 standard curves are now supported in gpg-agent's ssh-agent
    protocol implementation.  I tested this with all 3 curves and keys
    generated by OpenSSH 5.9p1.
    Using existing non-ssh generated keys will likely fail for now. To fix
    this, the code should first undergo some more cleanup; then the fixes
    are pretty straightforward.  And yes, the data structures are way too

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list