Extension of the agent protocol for the PKCS#11 URI scheme

[Jan Pechanec <jan.pechanec%oracle.com@localhost>]

	hi,

	Oracle's implementation of the X.509 part[1] of the pubkey auth
method in the SSH protocol works with a PKCS#11 URI scheme[2] and as
with plain private keys in files, we allow individual keys to be added
to the agent. For that, we need two new messages in the agent protocol:

        byte            SSH2_AGENTC_ADD_PKCS11_KEY or
                        SSH2_AGENTC_ADD_PKCS11_KEY_CONSTRAINED
        string          PKCS#11 URI
        string          pin
        string[]        key_constraints

	we could reuse some existing messages, eg. put the URI into 
reader_id in SSH_AGENTC_ADD_SMARTCARD_KEY used by OpenSSH but that would 
be a hack. The way how OpenSSH works with keystores is different, all 
available keys from a PKCS#11 provider are used, if I read the code 
correctly.

	the agent protocol OpenSSH, SunSSH as its derivative, and quite 
a few other implementations use comes from the original ssh-1.x code. It 
seems to me that authfd.h and PROTOCOL.agent in the OpenSSH tarball is 
now the de facto place for others to read about the current state of the 
protocol. I tried to contact the OpenSSH team about possible update of 
the file but didn't get a reply.

	we would like to notify you about our intention to take two new 
agent protocol message numbers. While not a problem on a localhost, if 
we (Oracle) clashed with other implementations we could run into 
problems when using agent forwarding. For now, we use higher numbers to 
avoid possible clash with other extensions:

#define SSH2_AGENTC_ADD_PKCS11_URI_KEY             62
#define SSH2_AGENTC_ADD_PKCS11_URI_KEY_CONSTRAINED 63

	please let us now if the numbers we use clash with any 
implementation of yours or if you have any other concerns.

	thank you, Jan.

[1] http://tools.ietf.org/id/draft-saarenmaa-ssh-x509-00.txt
[2] http://www.ietf.org/id/draft-pechanec-pkcs11uri-03.txt

--
Jan Pechanec
http://blogs.sun.com/janp