[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal pkinit compiling on debian




"Prágai, Róbert" <pragai@rubin.hu> writes:

>> I've been working on rewriting the cms function in the pkinit patch
>> to make
>> it easier to use (and reuse) them. Part of why I'm doing this is to make it
>> simpler for the pkinit code to find the right certificate to use.
>>
> 	CMS is the name of the certificate management system?

Cryptographic Message Syntax, RFC3369 (aka PKCS7) encryption/signing with
secret and private/public keys. PKINIT (and S/MIME) uses it to encrypt/sign
data.

My CMS implementation is somewhat independed of the using what crypto
subsystem, but changes the view on certificates and keys to a more
certificates centered operation mode.

>> I'm not sure how useable it is given its for a specific card. I
>> think it
>> should be possible to glue in. However, I think that either using opensc
>> crypto function or the opensc pkcs11 module (either directly or via
>> openssl).
>>
> 	Using OpenSSL engine would probably let the doors for other
> moduls wider than using OpenSC itself. So I think it is a good choice
> to use OpenSL engines.

The problem is the following, how do you as an application find the
certificate for a user ?

With PKCS11 you can match the certificate with the public and private key,
in openssl/engine you can get hold of _one_ public key and _one_ private
key. But there is no associated certificate.

There are pkcs#11 modules implemented using openssl (see soft-token and
gpkcs11), so that isn't really and issue. They just need engine support and
that is no hard to write.

>> The "load" is somewhat misnamed, its more of a configuration option,
>> "here
>> you find the private key", the current code assumes that there there is a
>> openssl EVP_PKEY (RSA is assumed) that its possible to do EVP_Sign() and
>> EVP_PKEY_decrypt() with.
>> So if you change the code to support something more then "FILE:"
>> that would
>> be ok. Something like
>> OPENSSL-ENGINE:modulename,/path/to/module.so,key_id,/path/to/certifitate.pem
>> I've yet to see a way to get hold of the CA certificate and
>> certificate
>> itself that lives on the smartcard though openssl's api, so I don't really
>> like this solution, but I'm sure it will be the fastest way to get it
>> working.
>> If you decides to work on the pkcs11 solution, I've got both pkcs11
>> code
>> that might be a good start, and some time a ago I wrote a pkcs11 software
>> module (http://people.su.se/~lha/soft-pkcs11/) so I don't need to carry
>> around the smartcard reader all the time. Note that the rsa keybindling is
>> turned off since it makes it not work when running inside mozilla.
>>
> 	I'll see the pkcs11 solution. However AFAIK there is an opensc
> engine (not pkcs11) for OpenSSL, which is capable of signing. I'm not
> sure whether it would be wiser to use that instead of the pkcs11
> module

opensc have both a opensc pkcs11 openssl engine and and "pure" openssl
engine. It was with the opensc pkcs11 openssl engine I tested the openssl
engine code for Heimdal I wrote yestoday using soft-token.

That said, did you get around to testing my new code, it should do what you
want. I'll try to improve the error messages when I reinstall my test host
and move the smartcard reader there.

> or something prevents it?

That prevents it is what configuration sucks.

kinit -C ENGINE:ENGINE=dynamic,PRE=SO_PATH:/usr/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/lib/opensc/soft-pkcs11.so:CERT=/path/lha.crt,KEY=slot_0 lha@N.L.NXS.SE

this can be shorted to

[libdefaults]
	pkinit-openssl-engine = ENGINE=dynamic,PRE=SO_PATH:/usr/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/lib/opensc/soft-pkcs11.so

kinit -C ENGINE:CERT=/path/lha.crt,KEY=slot_0 lha@N.L.NXS.SE

What I want is something like:

[libdefaults]
        pkinit-key-search-path = PKCS11:/path/module.so,[slot=3]
        pkinit-key-search-path = PKCS12:$HOME/.kinit.pfx
        pkinit-key-search-path = PEM:$HOME/.kinit.pem,$HOME/.kinit.key

kinit --pkinit lha@N.L.NXS.SE

and the code figures out what cert to use, using friendlyname, pkinit
extended keyusage, pkinit altsubjectname, or just guessing first usable
avaible certificate/key pair.

Love

PGP signature