Merge branch 'maint'

14 files changed, 506 insertions, 30 deletions

diff --git a/lib/crypto/c_src/crypto.c b/lib/crypto/c_src/crypto.c
index 28cc982c1e..b29c5082ba 100644
--- a/lib/crypto/c_src/crypto.c
+++ b/lib/crypto/c_src/crypto.c
@@ -348,6 +348,10 @@ static INLINE void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const
 
 static INLINE int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
 static INLINE int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+static INLINE void DSA_get0_pqg(const DSA *dsa,
+			       const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
+static INLINE void DSA_get0_key(const DSA *dsa,
+			       const BIGNUM **pub_key, const BIGNUM **priv_key);
 
 static INLINE int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
 {
@@ -364,6 +368,23 @@ static INLINE int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
     return 1;
 }
 
+static INLINE void
+DSA_get0_pqg(const DSA *dsa, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+    *p = dsa->p;
+    *q = dsa->q;
+    *g = dsa->g;
+}
+
+static INLINE void
+DSA_get0_key(const DSA *dsa, const BIGNUM **pub_key, const BIGNUM **priv_key)
+{
+    if (pub_key) *pub_key = dsa->pub_key;
+    if (priv_key) *priv_key = dsa->priv_key;
+}
+
+
+
 static INLINE int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
 static INLINE int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
 static INLINE int DH_set_length(DH *dh, long length);
@@ -393,6 +414,8 @@ static INLINE int DH_set_length(DH *dh, long length)
     return 1;
 }
 
+
+
 static INLINE void
 DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
 {
@@ -404,8 +427,8 @@ DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
 static INLINE void
 DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
 {
-    *pub_key = dh->pub_key;
-    *priv_key = dh->priv_key;
+    if (pub_key) *pub_key = dh->pub_key;
+    if (priv_key) *priv_key = dh->priv_key;
 }
 
 #else /* End of compatibility definitions. */
@@ -454,6 +477,7 @@ static ERL_NIF_TERM dh_generate_parameters_nif(ErlNifEnv* env, int argc, const E
 static ERL_NIF_TERM dh_check(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
 static ERL_NIF_TERM dh_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
 static ERL_NIF_TERM dh_compute_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
+static ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
 static ERL_NIF_TERM srp_value_B_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
 static ERL_NIF_TERM srp_user_secret_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
 static ERL_NIF_TERM srp_host_secret_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]);
@@ -542,6 +566,7 @@ static ErlNifFunc nif_funcs[] = {
     {"dh_check", 1, dh_check},
     {"dh_generate_key_nif", 4, dh_generate_key_nif},
     {"dh_compute_key_nif", 3, dh_compute_key_nif},
+    {"privkey_to_pubkey_nif", 2, privkey_to_pubkey_nif},
     {"srp_value_B_nif", 5, srp_value_B_nif},
     {"srp_user_secret_nif", 7, srp_user_secret_nif},
     {"srp_host_secret_nif", 5, srp_host_secret_nif},
@@ -4765,6 +4790,83 @@ static ERL_NIF_TERM pkey_crypt_nif(ErlNifEnv *env, int argc, const ERL_NIF_TERM
 
 
 /*--------------------------------*/
+static ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
+{ /* (Algorithm, PrivKey | KeyMap) */
+    EVP_PKEY *pkey;
+    ERL_NIF_TERM alg = argv[0];
+    ERL_NIF_TERM result[8];
+
+    if (get_pkey_private_key(env, alg, argv[1], &pkey) != PKEY_OK) {
+	return enif_make_badarg(env);
+    }
+
+    if (alg == atom_rsa) {
+        const BIGNUM *n = NULL, *e = NULL, *d = NULL;
+        RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+        if (rsa) {
+            RSA_get0_key(rsa, &n, &e, &d);
+            result[0] = bin_from_bn(env, e);  // Exponent E
+            result[1] = bin_from_bn(env, n);  // Modulus N = p*q
+            EVP_PKEY_free(pkey);
+            return enif_make_list_from_array(env, result, 2);
+        }
+
+    } else if (argv[0] == atom_dss) {
+        const BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL;
+        DSA *dsa = EVP_PKEY_get1_DSA(pkey);
+        if (dsa) {
+            DSA_get0_pqg(dsa, &p, &q, &g);
+            DSA_get0_key(dsa, &pub_key, NULL);
+            result[0] = bin_from_bn(env, p);
+            result[1] = bin_from_bn(env, q);
+            result[2] = bin_from_bn(env, g);
+            result[3] = bin_from_bn(env, pub_key);
+            EVP_PKEY_free(pkey);
+            return enif_make_list_from_array(env, result, 4);
+        }
+
+    } else if (argv[0] == atom_ecdsa) {
+#if defined(HAVE_EC)
+        EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+        if (ec) {
+            /* Example of result:
+               {
+                 Curve =  {Field, Prime, Point, Order, CoFactor} =
+                    { 
+                      Field =  {prime_field,<<255,...,255>>},
+                      Prime = {<<255,...,252>>,
+                               <<90,...,75>>,
+                               <<196,...,144>>
+                              },
+                      Point =    <<4,...,245>>,
+                      Order =    <<255,...,81>>,
+                      CoFactor = <<1>>
+                    },
+                Key = <<151,...,62>>
+              }
+              or
+              { 
+                Curve =
+                    {characteristic_two_field, 
+                     M,
+                     Basis = {tpbasis, _}
+                           | {ppbasis, k1, k2, k3}
+                    },
+                Key
+               }
+            */
+            EVP_PKEY_free(pkey);
+            return atom_notsup;
+        }
+#else
+        EVP_PKEY_free(pkey);
+        return atom_notsup;
+#endif
+    }
+
+    if (pkey) EVP_PKEY_free(pkey);
+    return enif_make_badarg(env);
+}
 
 /*================================================================*/
 
diff --git a/lib/crypto/doc/src/crypto.xml b/lib/crypto/doc/src/crypto.xml
index 72351f1fe5..3ab8f9c832 100644
--- a/lib/crypto/doc/src/crypto.xml
+++ b/lib/crypto/doc/src/crypto.xml
@@ -617,6 +617,21 @@
     </func>
 
     <func>
+      <name>privkey_to_pubkey(Type, EnginePrivateKeyRef) -> PublicKey</name>
+      <fsummary>Fetches a public key from an Engine stored private key.</fsummary>
+      <type>
+	<v>Type = rsa | dss</v>
+	<v>EnginePrivateKeyRef = engine_key_ref()</v>
+	<v>PublicKey =  rsa_public() | dss_public()</v>
+      </type>
+      <desc>
+	<p>Fetches the corresponding public key from a private key stored in an Engine.
+	The key must be of the type indicated by the Type parameter.
+	</p>	
+      </desc>
+    </func>
+
+    <func>
       <name>private_encrypt(Type, PlainText, PrivateKey, Padding) -> CipherText</name>
       <fsummary>Encrypts PlainText using the private Key.</fsummary>
       <type>
diff --git a/lib/crypto/src/crypto.erl b/lib/crypto/src/crypto.erl
index 3e18756cf9..9ba1623348 100644
--- a/lib/crypto/src/crypto.erl
+++ b/lib/crypto/src/crypto.erl
@@ -43,6 +43,7 @@
 -export([public_encrypt/4, private_decrypt/4]).
 -export([private_encrypt/4, public_decrypt/4]).
 -export([dh_generate_parameters/2, dh_check/1]). %% Testing see
+-export([privkey_to_pubkey/2]).
 -export([ec_curve/1, ec_curves/0]).
 -export([rand_seed/1]).
 %% Engine
@@ -1097,6 +1098,16 @@ ec_curves() ->
 ec_curve(X) ->
     crypto_ec_curves:curve(X).
 
+
+privkey_to_pubkey(Alg, EngineMap) when Alg == rsa; Alg == dss; Alg == ecdsa ->
+    case privkey_to_pubkey_nif(Alg, format_pkey(Alg,EngineMap)) of
+        [_|_]=L -> map_ensure_bin_as_int(L);
+        X -> X
+    end.
+            
+privkey_to_pubkey_nif(_Alg, _EngineMap) -> ?nif_stub.
+
+
 %%
 %% EC
 %%
@@ -1164,6 +1175,14 @@ ensure_int_as_bin(Int) when is_integer(Int) ->
 ensure_int_as_bin(Bin) ->
     Bin.
 
+map_ensure_bin_as_int(List) when is_list(List) ->
+    lists:map(fun ensure_bin_as_int/1, List).
+
+ensure_bin_as_int(Bin) when is_binary(Bin) ->
+    bin_to_int(Bin);
+ensure_bin_as_int(E) ->
+    E.
+
 format_pkey(_Alg, #{engine:=_, key_id:=T}=M) when is_binary(T) -> format_pwd(M);
 format_pkey(_Alg, #{engine:=_, key_id:=T}=M) when is_list(T) -> format_pwd(M#{key_id:=list_to_binary(T)});
 format_pkey(_Alg, #{engine:=_           }=M) -> error({bad_key_id, M});
diff --git a/lib/crypto/test/engine_SUITE.erl b/lib/crypto/test/engine_SUITE.erl
index aac8946893..72bd59f8ab 100644
--- a/lib/crypto/test/engine_SUITE.erl
+++ b/lib/crypto/test/engine_SUITE.erl
@@ -56,7 +56,9 @@ groups() ->
        priv_encrypt_pub_decrypt_rsa,
        priv_encrypt_pub_decrypt_rsa_pwd,
        pub_encrypt_priv_decrypt_rsa,
-       pub_encrypt_priv_decrypt_rsa_pwd
+       pub_encrypt_priv_decrypt_rsa_pwd,
+       get_pub_from_priv_key_dsa,
+       get_pub_from_priv_key_ecdsa
       ]}].
 
 
@@ -410,6 +412,31 @@ pub_encrypt_priv_decrypt_rsa_pwd(Config) ->
              key_id => key_id(Config, "rsa_public_key.pem")},
     pub_enc_priv_dec(rsa, Pub, Priv,  rsa_pkcs1_padding).
 
+get_pub_from_priv_key_rsa(Config) ->
+    Priv = #{engine => engine_ref(Config),
+             key_id => key_id(Config, "rsa_private_key.pem")},
+    Pub = crypto:privkey_to_pubkey(rsa, Priv),
+    ct:log("rsa Pub = ~p",[Pub]),
+    sign_verify(rsa, sha, Priv, Pub).
+
+get_pub_from_priv_key_dsa(Config) ->
+    Priv = #{engine => engine_ref(Config),
+             key_id => key_id(Config, "dsa_private_key.pem")},
+    Pub = crypto:privkey_to_pubkey(dss, Priv),
+    ct:log("dsa Pub = ~p",[Pub]),
+    sign_verify(dss, sha, Priv, Pub).
+
+get_pub_from_priv_key_ecdsa(Config) ->
+    Priv = #{engine => engine_ref(Config),
+             key_id => key_id(Config, "ecdsa_private_key.pem")},
+    Pub = crypto:privkey_to_pubkey(ecdsa, Priv),
+    case Pub of
+        notsup -> {skip, "ECDSA not implemented"};
+        _ ->
+            ct:log("ecdsa Pub = ~p",[Pub]),
+            sign_verify(ecdsa, sha, Priv, Pub)
+    end.
+    
 %%%================================================================
 %%% Help for engine_stored_pub_priv_keys* test cases
 %%%
diff --git a/lib/ssh/doc/src/ssh_client_key_api.xml b/lib/ssh/doc/src/ssh_client_key_api.xml
index a1cd9d4b02..98a1676ca4 100644
--- a/lib/ssh/doc/src/ssh_client_key_api.xml
+++ b/lib/ssh/doc/src/ssh_client_key_api.xml
@@ -56,11 +56,17 @@
       <tag><c>string() =</c></tag>
       <item><p><c>[byte()]</c></p></item>
       <tag><c>public_key() =</c></tag>
-      <item><p><c>#'RSAPublicKey'{}| {integer(),  #'Dss-Parms'{}}| term()</c></p></item>
+      <item><p><c>#'RSAPublicKey'{} 
+      | {integer(),#'Dss-Parms'{}} 
+      | {#'ECPoint'{},{namedCurve,Curve::string()}}</c></p></item>
       <tag><c>private_key() =</c></tag>
-      <item><p><c>#'RSAPrivateKey'{} | #'DSAPrivateKey'{} | term()</c></p></item>
+      <item><p><c>#'RSAPrivateKey'{} 
+      | #'DSAPrivateKey'{} 
+      | #'ECPrivateKey'{}</c></p></item>      
       <tag><c>public_key_algorithm() =</c></tag>
-      <item><p><c>'ssh-rsa'| 'ssh-dss' | atom()</c></p></item>
+      <item><p><c>'ssh-rsa' | 'ssh-dss' 
+      | 'rsa-sha2-256' | 'rsa-sha2-384' | 'rsa-sha2-512' 
+      | 'ecdsa-sha2-nistp256' | 'ecdsa-sha2-nistp384' | 'ecdsa-sha2-nistp521' </c></p></item>
     </taglist>
   </section>
 
@@ -73,10 +79,11 @@
       <d>Description of the host that owns the <c>PublicKey</c>.</d>
 
       <v>Key = public_key()</v>
-      <d>Normally an RSA or DSA public key, but handling of other public keys can be added.</d>
+      <d>Normally an RSA, DSA or ECDSA public key, but handling of other public keys can be added.</d>
 
       <v>ConnectOptions = proplists:proplist()</v>
-      <d>Options provided to <seealso marker="ssh#connect-3">ssh:connect/[3,4]</seealso></d>
+      <d>Options provided to <seealso marker="ssh#connect-3">ssh:connect/[3,4]</seealso>. The option list given in
+	the <c>key_cb</c> option is available with the key <c>key_cb_private</c>.</d>
       <v>Reason = term().</v>
       </type>
       <desc>
@@ -89,17 +96,17 @@
       <fsummary>Checks if a host key is trusted.</fsummary>
       <type>
 	<v>Key = public_key() </v>
-	<d>Normally an RSA or DSA public key, but handling of other public keys can be added.</d>
+	<d>Normally an RSA, DSA or ECDSA public key, but handling of other public keys can be added.</d>
 
 	<v>Host = string()</v>
 	<d>Description of the host.</d>
 
 	<v>Algorithm = public_key_algorithm()</v>
-	<d>Host key algorithm. Is to support <c>'ssh-rsa'| 'ssh-dss'</c>, but more algorithms
-	can be handled.</d>
+	<d>Host key algorithm.</d>
 
 	<v>ConnectOptions = proplists:proplist() </v>
-	<d>Options provided to <seealso marker="ssh#connect-3">ssh:connect/[3,4]</seealso>.</d>
+	<d>Options provided to <seealso marker="ssh#connect-3">ssh:connect/[3,4]</seealso>. The option list given in
+	the <c>key_cb</c> option is available with the key <c>key_cb_private</c>.</d>
 
 	<v>Result = boolean()</v>
       </type>
@@ -110,15 +117,15 @@
 
     <func>
       <name>Module:user_key(Algorithm, ConnectOptions) ->
-      {ok,  PrivateKey}  | {error, Reason}</name>
+      {ok, PrivateKey}  | {error, Reason}</name>
       <fsummary>Fetches the users <em>public key</em> matching the <c>Algorithm</c>.</fsummary>
       <type>
 	<v>Algorithm = public_key_algorithm()</v>
-	<d>Host key algorithm. Is to support <c>'ssh-rsa'| 'ssh-dss'</c> but more algorithms
-	can be handled.</d>
+	<d>Host key algorithm.</d>
 
 	<v>ConnectOptions = proplists:proplist()</v>
-	<d>Options provided to <seealso marker="ssh#connect-3">ssh:connect/[3,4]</seealso></d>
+	<d>Options provided to <seealso marker="ssh#connect-3">ssh:connect/[3,4]</seealso>. The option list given in
+	the <c>key_cb</c> option is available with the key <c>key_cb_private</c>.</d>
 
 	<v>PrivateKey = private_key()</v>
 	<d>Private key of the user matching the <c>Algorithm</c>.</d>
diff --git a/lib/ssh/doc/src/ssh_server_key_api.xml b/lib/ssh/doc/src/ssh_server_key_api.xml
index a0694ca8d9..c6808b95d1 100644
--- a/lib/ssh/doc/src/ssh_server_key_api.xml
+++ b/lib/ssh/doc/src/ssh_server_key_api.xml
@@ -57,11 +57,17 @@
       <tag><c>string() =</c></tag>
       <item><p><c>[byte()]</c></p></item>
       <tag><c>public_key() =</c></tag>
-      <item><p><c>#'RSAPublicKey'{}| {integer(),  #'Dss-Parms'{}}| term()</c></p></item>
+      <item><p><c>#'RSAPublicKey'{} 
+      | {integer(),#'Dss-Parms'{}} 
+      | {#'ECPoint'{},{namedCurve,Curve::string()}}</c></p></item>
       <tag><c>private_key() =</c></tag>
-      <item><p><c>#'RSAPrivateKey'{} | #'DSAPrivateKey'{} | term()</c></p></item>
+      <item><p><c>#'RSAPrivateKey'{} 
+      | #'DSAPrivateKey'{} 
+      | #'ECPrivateKey'{}</c></p></item>      
       <tag><c>public_key_algorithm() =</c></tag>
-      <item><p><c>'ssh-rsa'| 'ssh-dss' | atom()</c></p></item>
+      <item><p><c>'ssh-rsa' | 'ssh-dss' 
+      | 'rsa-sha2-256' | 'rsa-sha2-384' | 'rsa-sha2-512'
+      | 'ecdsa-sha2-nistp256' | 'ecdsa-sha2-nistp384' | 'ecdsa-sha2-nistp521' </c></p></item>
     </taglist>
   </section>
   
@@ -72,12 +78,13 @@
       <fsummary>Fetches the host’s private key.</fsummary>
       <type>
 	<v>Algorithm = public_key_algorithm()</v>
-	<d>Host key algorithm. Is to support <c>'ssh-rsa' | 'ssh-dss'</c>, but more algorithms
-	can be handled.</d>
+	<d>Host key algorithm.</d>
 	<v>DaemonOptions = proplists:proplist()</v>
-	<d>Options provided to <seealso marker="ssh#daemon-2">ssh:daemon/[2,3]</seealso>.</d>
-	<v>Key = private_key()</v>
-	<d>Private key of the host matching the <c>Algorithm</c>.</d>
+	<d>Options provided to <seealso marker="ssh#daemon-2">ssh:daemon/[2,3]</seealso>. The option list given in
+	the <c>key_cb</c> option is available with the key <c>key_cb_private</c>.</d>
+	<v>Key = private_key() | crypto:engine_key_ref()</v>
+	<d>Private key of the host matching the <c>Algorithm</c>.
+	It may be a reference to a 'ssh-rsa', rsa-sha2-* or 'ssh-dss' (NOT ecdsa) key stored in a loaded Engine.</d>
 	<v>Reason = term()</v>
       </type>
       <desc>
@@ -90,11 +97,12 @@
       <fsummary>Checks if the user key is authorized.</fsummary>
       <type>
 	<v>Key = public_key()</v>
-	<d>Normally an RSA or DSA public key, but handling of other public keys can be added</d>
+	<d>Normally an RSA, DSA or ECDSA public key, but handling of other public keys can be added</d>
 	<v>User = string()</v>
 	<d>User owning the public key.</d>
 	<v>DaemonOptions = proplists:proplist()</v>
-	<d>Options provided to  <seealso marker="ssh#daemon-2">ssh:daemon/[2,3]</seealso>.</d>
+	<d>Options provided to <seealso marker="ssh#daemon-2">ssh:daemon/[2,3]</seealso>. The option list given in
+	the <c>key_cb</c> option is available with the key <c>key_cb_private</c>.</d>
 	<v>Result = boolean()</v>
       </type>
       <desc>
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index d8f7a96c15..892db6b64f 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -811,7 +811,15 @@ extract_public_key(#'DSAPrivateKey'{y = Y, p = P, q = Q, g = G}) ->
     {Y,  #'Dss-Parms'{p=P, q=Q, g=G}};
 extract_public_key(#'ECPrivateKey'{parameters = {namedCurve,OID},
 				   publicKey = Q}) ->
-    {#'ECPoint'{point=Q}, {namedCurve,OID}}.
+    {#'ECPoint'{point=Q}, {namedCurve,OID}};
+extract_public_key(#{engine:=_, key_id:=_, algorithm:=Alg} = M) ->
+    case {Alg, crypto:privkey_to_pubkey(Alg, M)} of
+        {rsa, [E,N]} ->
+            #'RSAPublicKey'{modulus = N, publicExponent = E};
+        {dss, [P,Q,G,Y]} ->
+            {Y, #'Dss-Parms'{p=P, q=Q, g=G}}
+    end.
+
 
 
 verify_host_key(#ssh{algorithms=Alg}=SSH, PublicKey, Digest, {AlgStr,Signature}) ->
@@ -1261,10 +1269,12 @@ payload(<<PacketLen:32, PaddingLen:8, PayloadAndPadding/binary>>) ->
     <<Payload:PayloadLen/binary, _/binary>> = PayloadAndPadding,
     Payload.
 
+sign(SigData, HashAlg, #{algorithm:=dss} = Key) ->
+    mk_dss_sig(crypto:sign(dss, HashAlg, SigData, Key));
+sign(SigData, HashAlg, #{algorithm:=SigAlg} = Key) ->
+    crypto:sign(SigAlg, HashAlg, SigData, Key);
 sign(SigData, HashAlg,  #'DSAPrivateKey'{} = Key) ->
-    DerSignature = public_key:sign(SigData, HashAlg, Key),
-    #'Dss-Sig-Value'{r = R, s = S} = public_key:der_decode('Dss-Sig-Value', DerSignature),
-    <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>>;
+    mk_dss_sig(public_key:sign(SigData, HashAlg, Key));
 sign(SigData, HashAlg, Key = #'ECPrivateKey'{}) ->
     DerEncodedSign =  public_key:sign(SigData, HashAlg, Key),
     #'ECDSA-Sig-Value'{r=R, s=S} = public_key:der_decode('ECDSA-Sig-Value', DerEncodedSign),
@@ -1272,6 +1282,12 @@ sign(SigData, HashAlg, Key = #'ECPrivateKey'{}) ->
 sign(SigData, HashAlg, Key) ->
     public_key:sign(SigData, HashAlg, Key).
 
+
+mk_dss_sig(DerSignature) ->
+    #'Dss-Sig-Value'{r = R, s = S} = public_key:der_decode('Dss-Sig-Value', DerSignature),
+    <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>>.
+
+
 verify(PlainText, HashAlg, Sig, {_,  #'Dss-Parms'{}} = Key) ->
     case Sig of
         <<R:160/big-unsigned-integer, S:160/big-unsigned-integer>> ->
@@ -1823,6 +1839,8 @@ kex_alg_dependent({Min, NBits, Max, Prime, Gen, E, F, K}) ->
 
 %%%----------------------------------------------------------------
 
+valid_key_sha_alg(#{engine:=_, key_id:=_}, _Alg) -> true; % Engine key
+
 valid_key_sha_alg(#'RSAPublicKey'{}, 'rsa-sha2-512') -> true;
 valid_key_sha_alg(#'RSAPublicKey'{}, 'rsa-sha2-384') -> true;
 valid_key_sha_alg(#'RSAPublicKey'{}, 'rsa-sha2-256') -> true;
diff --git a/lib/ssh/test/Makefile b/lib/ssh/test/Makefile
index 5ea048a352..a18383d148 100644
--- a/lib/ssh/test/Makefile
+++ b/lib/ssh/test/Makefile
@@ -38,6 +38,7 @@ MODULES= \
 	ssh_basic_SUITE \
 	ssh_bench_SUITE \
 	ssh_connection_SUITE \
+	ssh_engine_SUITE \
 	ssh_protocol_SUITE \
 	ssh_property_test_SUITE \
 	ssh_sftp_SUITE \
@@ -49,6 +50,7 @@ MODULES= \
 	ssh_test_lib \
 	ssh_key_cb \
 	ssh_key_cb_options \
+	ssh_key_cb_engine_keys \
 	ssh_trpt_test_lib \
 	ssh_echo_server \
 	ssh_bench_dev_null \
diff --git a/lib/ssh/test/ssh_engine_SUITE.erl b/lib/ssh/test/ssh_engine_SUITE.erl
new file mode 100644
index 0000000000..035446932b
--- /dev/null
+++ b/lib/ssh/test/ssh_engine_SUITE.erl
@@ -0,0 +1,141 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2017. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+-module(ssh_engine_SUITE).
+
+-include_lib("common_test/include/ct.hrl").
+-include("ssh_test_lib.hrl").
+
+%% Note: This directive should only be used in test suites.
+-compile(export_all).
+
+%%--------------------------------------------------------------------
+%% Common Test interface functions -----------------------------------
+%%--------------------------------------------------------------------
+
+suite() ->
+    [{ct_hooks,[ts_install_cth]},
+     {timetrap,{seconds,40}}].
+
+all() -> 
+    [{group, dsa_key},
+     {group, rsa_key}
+    ].
+
+groups() ->
+    [{dsa_key, [], basic_tests()},
+     {rsa_key, [], basic_tests()}
+    ].
+
+basic_tests() ->
+    [simple_connect
+    ].
+
+
+%%--------------------------------------------------------------------
+init_per_suite(Config) ->
+    ssh:start(),
+    ?CHECK_CRYPTO(
+       case load_engine() of
+           {ok,E} -> 
+               ssh_dbg:messages(fun ct:pal/2),
+               [{engine,E}|Config];
+           {error, notsup} ->
+               {skip, "Engine not supported on this OpenSSL version"};
+           {error, bad_engine_id} ->
+               {skip, "Dynamic Engine not supported"};
+           Other ->
+               ct:log("Engine load failed: ~p",[Other]),
+               {fail, "Engine load failed"}
+       end
+      ).
+
+end_per_suite(Config) ->
+    catch crypto:engine_unload( proplists:get_value(engine,Config) ),
+    ssh:stop().
+
+%%--------------------------------------------------------------------
+init_per_group(dsa_key, Config) ->
+    case lists:member('ssh-dss',
+		      ssh_transport:default_algorithms(public_key)) of
+	true ->
+            start_daemon(Config, 'ssh-dss', "dsa_private_key.pem");
+	false ->
+	    {skip, unsupported_pub_key}
+    end;
+init_per_group(rsa_key, Config) ->
+    case lists:member('ssh-rsa',
+		      ssh_transport:default_algorithms(public_key)) of
+	true ->
+            start_daemon(Config, 'ssh-rsa', "rsa_private_key.pem");
+	false ->
+	    {skip, unsupported_pub_key}
+    end.
+
+start_daemon(Config, KeyType, KeyId) ->
+    SystemDir = proplists:get_value(data_dir, Config),
+    FullKeyId = filename:join(SystemDir, KeyId),
+    KeyCBOpts = [{engine, proplists:get_value(engine,Config)},
+                 {KeyType, FullKeyId}
+                ],
+    Opts = [{key_cb, {ssh_key_cb_engine_keys, KeyCBOpts}}],
+    {Pid, Host, Port} = ssh_test_lib:std_daemon(Config, Opts),
+    [{host_port,{Host,Port}}, {daemon_pid,Pid}| Config].
+
+
+end_per_group(_, Config) ->
+    catch ssh:stop_daemon(proplists:get_value(daemon_pid,Config)),
+    Config.
+
+%%--------------------------------------------------------------------
+%% Test Cases --------------------------------------------------------
+%%--------------------------------------------------------------------
+
+%% A simple exec call
+simple_connect(Config) ->
+    {Host,Port} = proplists:get_value(host_port, Config),
+    CRef = ssh_test_lib:std_connect(Config, Host, Port, []),
+    ssh:close(CRef).
+
+%%--------------------------------------------------------------------
+%%--------------------------------------------------------------------
+load_engine() ->
+    case crypto:get_test_engine() of
+        {ok, Engine} ->
+            try crypto:engine_load(<<"dynamic">>,
+                                   [{<<"SO_PATH">>, Engine},
+                                    <<"LOAD">>],
+                                   [])
+            catch
+                error:notsup ->
+                    {error, notsup}
+            end;
+
+        {error, Error} ->
+            {error, Error}
+    end.
+
+start_std_daemon(Opts, Config) ->
+    ct:log("starting std_daemon",[]),
+    {Pid, Host, Port} = ssh_test_lib:std_daemon(Config, Opts),
+    ct:log("started ~p:~p  ~p",[Host,Port,Opts]),
+    [{srvr_pid,Pid},{srvr_addr,{Host,Port}} | Config].
diff --git a/lib/ssh/test/ssh_engine_SUITE_data/dsa_private_key.pem b/lib/ssh/test/ssh_engine_SUITE_data/dsa_private_key.pem
new file mode 100644
index 0000000000..778ffac675
--- /dev/null
+++ b/lib/ssh/test/ssh_engine_SUITE_data/dsa_private_key.pem
@@ -0,0 +1,9 @@
+-----BEGIN PRIVATE KEY-----
+MIIBSwIBADCCASwGByqGSM44BAEwggEfAoGBAMyitTMR7vPbpqyAXJpqnB0AhFwQ
+F87IE+JKFl5bD/MSkhhRV5sM73HUU1ooXY0FjhZ+cdLUCATuZR5ta4ydANqWIcAB
+gX3IwF1B4zf5SXEKTWkUYneL9dOKtiZLtoG28swrk8xMxwX+0fLHkltCEj6FiTW9
+PFrv8GmIfV6DjcI9AhUAqXWbb3RtoN9Ld28fVMhGZrj3LJUCgYEAwnxGHGBMpJaF
+2w7zAw3jHjL8PMYlV6vnufGHQlwF0ZUXJxRsvagMb/X1qACTu2VPYEVoLQGM3cfH
+EhHoQmvSXGAyTfR7Bmn3gf1n/s/DcFbdZduUCZ/rAyIrfd0eSbc1I+kZk85UCsKK
+w/IYdlqcuYa4Cgm2TapT5uEMqH4jhzEEFgIULh8swEUWmU8aJNWsrWl4eCiuUUg=
+-----END PRIVATE KEY-----
diff --git a/lib/ssh/test/ssh_engine_SUITE_data/ecdsa_private_key.pem b/lib/ssh/test/ssh_engine_SUITE_data/ecdsa_private_key.pem
new file mode 100644
index 0000000000..a45522064f
--- /dev/null
+++ b/lib/ssh/test/ssh_engine_SUITE_data/ecdsa_private_key.pem
@@ -0,0 +1,8 @@
+-----BEGIN PRIVATE KEY-----
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBparGjr0KcdNrVM2J
+G0mW5ltP1QyvxDqBMyWLWo3fruRZv6Qoohl5skd1u4O+KJoM/UrrSTOXI/MDR7NN
+i1yl7O+hgYkDgYYABAG8K2XVsK0ahG9+HIIPwCO0pJY8ulwSTXwIjkCGyB2lpglh
+8qJmRzuyGcfRTslv8wfv0sPlT9H9PKDvgrTUL7rvQQDdOODNgVPXSecUoXoPn+X+
+eqxs77bjx+A5x0t/i3m5PfkaNPh5MZ1H/bWuOOdj2ZXZw0R4rlVc0zVrgnPU8L8S
+BQ==
+-----END PRIVATE KEY-----
diff --git a/lib/ssh/test/ssh_engine_SUITE_data/rsa_private_key.pem b/lib/ssh/test/ssh_engine_SUITE_data/rsa_private_key.pem
new file mode 100644
index 0000000000..ea0e3d3958
--- /dev/null
+++ b/lib/ssh/test/ssh_engine_SUITE_data/rsa_private_key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCwwb0/ddXGXTFK
+4FLxXdV6a/WJMSoPPS55RvZIAHFsiTtvPLbJ8LxDsZ6wSVZLN0/UQ4wdWn9jftyj
+U5/IxBVG8XOtKimTMvm3/ZOzVLueGHBbrLYscRv9oL85ulTKHWgrZDu0lBX5JJTI
+v5UTCErzJRQbka9DG1GaBgDb1PlXfkzBWMwfsBZmwoC77KvCcIGCgbW/XCY03TP2
+3Tg8drvpByMStddP2FQ4fZ91qFUzPu8uhZEsqSQTFlmhgGEx7dLlky0xvu62RuAD
+RTpINpcWZtWDHTdssOqu653LwwqBY8lBopCZ/4Af8QR3ZYkQhen1YLEbVheXRuzI
+LSCZIiJNAgMBAAECggEBAJH4/fxpqQkvr2Shy33Pu1xlyhnpw01gfn/jrcKasxEq
+aC4eWup86E2TY3U8q4pkfIXU3uLi+O9HNpmflwargNLc1mY8uqb44ygiv5bLNEKE
+9k2PXcdoBfC4jxPyoNFl5cBn/7LK1TazEjiTl15na9ZPWcLG1pG5/vMPYCgsQ1sP
+8J3c4E3aaXIj9QceYxBprl490OCzieGyZlRipncz3g4UShRc/b4cycvDZOJpmAy4
+zbWTcBcSMPVPi5coF0K8UcimiqZkotfb/2RLc433i34IdsIXMM+brdq+g8rmjg5a
++oQPy02M6tFApBruEhAz8DGgaLtDY6MLtyZAt3SjXnUCgYEA1zLgamdTHOqrrmIi
+eIQBnAJiyIfcY8B9SX1OsLGYFCHiPVwgUY35B2c7MavMsGcExJhtE+uxU7o5djtM
+R6r9cRHOXJ6EQwa8OwzzPqbM17/YqNDeK39bc9WOFUqRWrhDhVMPy6z8rmZr73mG
+IUC7mBNx/1GBdVYXIlsXzC96dI8CgYEA0kUAhz6I5nyPa70NDEUYHLHf3IW1BCmE
+UoVbraSePJtIEY/IqFx7oDuFo30d4n5z+8ICCtyid1h/Cp3mf3akOiqltYUfgV1G
+JgcEjKKYWEnO7cfFyO7LB7Y3GYYDJNy6EzVWPiwTGk9ZTfFJEESmHC45Unxgd17m
+Dx/R58rFgWMCgYBQXQWFdtSI5fH7C1bIHrPjKNju/h2FeurOuObcAVZDnmu4cmD3
+U8d9xkVKxVeJQM99A1coq0nrdI3k4zwXP3mp8fZYjDHkPe2pN6rW6L9yiohEcsuk
+/siON1/5/4DMmidM8LnjW9R45HLGWWGHpX7oyco2iJ+Jy/6Tq+T1MX3PbQKBgQCm
+hdsbQJ0u3CrBSmFQ/E9SOlRt0r4+45pVuCOY6yweF2QF9HcXTtbhWQJHLclDHJ5C
+Ha18aKuKFN3XzKFFBPKe1jOSBDGlQ/dQGnKx5fr8wMdObM3oiaTlIJuWbRmEUgJT
+QARjDIi8Z2b0YUhZx+Q9oSXoe3PyVYehJrQX+/BavQKBgQCIr7Zp0rQPbfqcTL+M
+OYHUoNcb14f9f8hXeXHQOqVpsGwxGdRQAU9wbx/4+obKB5xIkzBsVNcJwavisNja
+hegnGjTB/9Hc4m+5bMGwH0bhS2eQO4o+YYM2ypDmFQqDLRfFUlZ5PVHffm/aA9+g
+GanNBCsmtoHtV6CJ1UZ7NmBuIA==
+-----END PRIVATE KEY-----
diff --git a/lib/ssh/test/ssh_engine_SUITE_data/rsa_private_key_pwd.pem b/lib/ssh/test/ssh_engine_SUITE_data/rsa_private_key_pwd.pem
new file mode 100644
index 0000000000..501662fc35
--- /dev/null
+++ b/lib/ssh/test/ssh_engine_SUITE_data/rsa_private_key_pwd.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIh888Iq6gxuMCAggA
+MBQGCCqGSIb3DQMHBAic/11YZ8Nt5gSCBMjG/Jb4qiMoBS50iQvHXqcETPE+0NBr
+jhsn9w94LkdRBstMPAsoKmY98Er96Rnde/NfmqlU9CupKTkd7Ce5poBf72Y6KMED
+cPURyjbGRFsu6x9skXB2obhyKYEqAEF2oQAg4Qbe5v1qXBIgDuC/NgiJnM+w2zCZ
+LkHSZB2/NmcnvDzcgPF7TM8pTO23xCJ33m37qjfWvHsgocVqZmL9wQ4+wr/NMYjJ
+pJvX1OHW1vBsZsXh40WchalYRSB1VeO368QfsE8coRJztqbMzdce9EQdMB6Q6jlO
+cetd3moLIoMP4I7HW0/SgokbycTbRiYSvRyU1TGc2WbW6BrFZV24IckcnnVUFatf
+6HKUcaYLG68dJcRgs5QMGkcmgVvlddENHFmHZlo0eym/xSiUl/AT8/5odscm6ML8
+wW5sneax+TF4J2eYmiN7yjAUCodXVTNYNDVKo6uUhntlymbM0o4UitVIbPIfTDHl
+sxJAEZ7vpuPqeNMxUk6G6zipuEjqsVbnuFSBSZmgKiGYcifRPUmqqINa3DdS4WVx
+xaPWdHbHVRD//ze3h/FsA+1lIE5q2kUE0xXseJA1ISog++kJp14XeaaL2j/tx3Ob
+OsbcaOAD/IUw/ItDt9kn0qzfnar7sS0Wov8AmJQxHmH7Lm93jHTLM05yE0AR/eBr
+Mig2ZdC+9OqVC+GPuBkRjSs8NpltQIDroz6EV9IMwPwXm0szSYoyoPLmlHJUdnLs
+ZUef+au6hYkEJBrvuisagnq5eT/fCV3hsjD7yODebNU2CmBTo6X2PRx/xsBHRMWl
+QkoM9PBdSCnKv6HpHl4pchuoqU2NpFjN0BCaad6aHfZSTnqgzK4bEh1oO6dI8/rB
+/eh71JyFFG5J4xbpaqz5Su01V1iwU5leK5bDwqals4M4+ZGHGciou7qnXUmX2fJl
+r6DlMUa/xy+A2ZG0NuZR05yk2oB3+KVNMgp6zFty3XaxwoNtc8GTLtLnBnIh2rlP
+mE1+I65LRWwrNQalPeOAUrYuEzhyp2Df7a8Ykas5PUH7MGR/S0Ge/dLxtE2bJuK4
+znbLAsGhvo/SbNxYqIp6D4iDtd3va6yUGncy41paA/vTKFVvXZDrXcwJQYYCVOGT
+OwdzNuozU8Dc7oxsd8oakfC46kvmVaOrGvZbm56PFfprcaL/Hslska5xxEni/eZe
+WRxZbCBhAVqS1pn5zkDQVUe9uFlR/x39Qi01HIlKLBsjpSs6qQsFArMe8hgXmXLG
+xP+dyVuOE18NzSewdEjeqSRKIM7Qi8EOjZsI4HdSRBY7bh9VhmaVXDZiCSf33TTE
+3y8nimzQAeuGoYg6WqHmWWC2Qnpki2HlaIH/ayXEyQWkP/qvg61e8ovdg9Fy8JOO
+0AacXVt5zj0q00AW5bKx7usi4NIjZedi86hUm6H19aBm7r86BKjwYTEI/GOcdrbV
+9HC/8ayOimgwiAG3gq+aLioWym+Z6KnsbVd7XReVbvM/InQx54WA2y5im0A+/c67
+oQFFPV84XGX9waeqv/K4Wzkm6HW+qVAEM67482VGOf0PVrlQMno6dOotT/Y7ljoZ
+2iz0LmN9yylJnLPDrr1i6gzbs5OhhUgbF5LI2YP2wWdCZTl/DrKSIvQZWl8U+tw3
+ciA=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/lib/ssh/test/ssh_key_cb_engine_keys.erl b/lib/ssh/test/ssh_key_cb_engine_keys.erl
new file mode 100644
index 0000000000..fc9cbfd49b
--- /dev/null
+++ b/lib/ssh/test/ssh_key_cb_engine_keys.erl
@@ -0,0 +1,62 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2015-2017. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+%%----------------------------------------------------------------------
+
+%% Note: This module is used by ssh_basic_SUITE
+
+-module(ssh_key_cb_engine_keys).
+-behaviour(ssh_server_key_api).
+-compile(export_all).
+
+host_key(SshAlg, Options) ->
+    KBopts = proplists:get_value(key_cb_private, Options, []),
+    Engine = proplists:get_value(engine, KBopts),
+    case proplists:get_value(SshAlg, KBopts) of
+        undefined ->
+            {error, {unknown_alg,SshAlg}};
+        KeyId ->
+            case crypto_alg(SshAlg) of
+                undefined ->
+                    {error, {unsupported_alg,SshAlg}};
+                CryptoAlg ->
+                    PrivKey = #{engine => Engine,
+                                key_id => KeyId,
+                                algorithm => CryptoAlg},
+                    %% Is there a key with this reference ?
+                    case crypto:privkey_to_pubkey(CryptoAlg, PrivKey) of
+                        [_|_] -> 
+                            {ok, PrivKey};
+                        _ ->
+                            {error, {no_hostkey,SshAlg}}
+                    end
+            end
+    end.
+
+is_auth_key(_PublicUserKey, _User, _Options) ->
+    false.
+
+
+
+crypto_alg('ssh-rsa') -> rsa;
+crypto_alg('ssh-dss') -> dss;
+crypto_alg(_) -> undefined.
+