Re: heimdal pkinit compiling on debian

[Love <lha@stacken.kth.se>]

Love <lha@stacken.kth.se> writes:

> "Prágai, Róbert" <pragai@rubin.hu> writes:
>> - As there will be no "loading of private key" as there is practically
>> no way to get the private key out of the card, is there a common way
>> to notify the _krb5_pk_create_sign function that the signature
>> creation should be done in a different way? Or should I invent a new
>> method?
[...]
> OPENSSL-ENGINE:modulename,/path/to/module.so,key_id,/path/to/certifitate.pem

I just wrote some code to support openssl engines, tonight snapshot will
include it;

Using opensc pkcs11 engine using my softtoken:

./kinit --no-addr -C \
ENGINE:ENGINE=dynamic,PRE=SO_PATH:/sources/opensc/dest0.9.2/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/home/lha/src/cvs/soft-pkcs11/o/.libs/soft-pkcs11.so,CERT=/secure/lha/l.nxs.se/CA/lha.crt,KEY=slot_0 \
lha@N.L.NXS.SE

or

./kinit --no-addr -C ENGINE:CERT=/secure/lha/l.nxs.se/CA/lha.crt,KEY=slot_0 \
lha@N.L.NXS.SE

this in krb5.conf

[libdefaults]
	pkinit-openssl-engine = ENGINE=dynamic,PRE=SO_PATH:/sources/opensc/dest0.9.2/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/home/lha/src/cvs/soft-pkcs11/o/.libs/soft-pkcs11.so

my .softtoken.rc looks like this:

: lha@nutcracker ; cat ~/.soft-token.rc
# Separator is \t
# fields are id, label, cert file[, optional keyfile]
lha     Love's certificate      /path/lha.crt /path/lha-no-pw.key
anchor  L.NXS.SE CA     /path/CA/ca.crt

It all failes with

kinit: krb5_get_init_creds: Can't decrypt key: error:2A008404:PKCS11 library:PKCS11_rsa_decrypt:Not supported

because opensc doesn't implement rsa encryption/decryption in their openssl
pkcs11 engine module, that shouldn't be too hard to add.

I also updated http://people.su.se/~lha/patches/heimdal/pkinit/ to explain
what all the options mean.

Love

PGP signature