[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit/opensc/soft-pkcs11

Matthew N. Andrews wrote:
> so after wrestling with a mass of linking problems I seem to finally 
> have openssl, heimdal, opensc, and soft-pkcs11 all built with debugging 
> and without optimization(YAY!). now however I'm still having some 
> trouble getting it all to work.
> when I run "kinit -C 
> ENGINE:ENGINE=dynamic,PRE=SO_PATH:/opt/opensc-0.9.6/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/local/lib/soft-pkcs11.so,CERT=/tmp/x509up_u31765,KEY=slot_0 
> ma3d"

With the cert in /tmp/x509up_u31765 it looks like you are trying to
use a Globus proxy cert. The private key sould also be in the same file
so it is not clear why you need the engine or pkcs11 at all. Try changing
KEY=slot_0 to KEY=/tmp/x509up_u31765.

> I get the following error:
> kinit: krb5_get_init_creds: Can't decrypt key: error:2A008404:PKCS11 
> library:PKCS11_rsa_decrypt:Not supported
> now this seems to be a case of openssl trying to use the engine that was 
> loaded to decrypt something which soft-pkcs11 does not do. Is this 
> supposed to fail in this way?
> Love, I notice that you have this error on your pkinit for heimdal page. 
> Is it currently possible to use soft-pkcs11 with heimdal pkinit?
> Just fyi I'm using heimdal-20050927, opensc-0.9.6, openssl-0.9.8, and 
> soft-pkcs11-1.3.
> (I could have sworn I saw this work once, but then again I might just be 
> completely halucinating after spending 3 out of the last four days on 
> this stuff.)
> -Matt


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444