[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Love Hörnquist Åstrand wrote:
> Matthew Andrews <firstname.lastname@example.org> writes:
>>Yes, I believe that the "Not Supported" error is orriginating in
>>soft-pkcs11. I was just trying to figure out how you would succesfully
>>use soft-pkcs11 with kinit if this was the case. is there a way to get
>>openssl to use the engine only for certain operations?
> I think the error is from this snippet of code in opensc's openssl engine.
> Its doesn't support rsa encryption. soft-pkcs11 does support rsa
> static int
> pkcs11_rsa_encrypt(int flen, const unsigned char *from, unsigned char *to,
> RSA * rsa, int padding)
> /* PKCS11 calls go here */
> PKCS11err(PKCS11_F_PKCS11_RSA_ENCRYPT, PKCS11_NOT_SUPPORTED);
> return -1;
you're absolutely right about this. I even walked through thisin gdb but
it was late and I was getting tired, and sloppy and thought I was in the
soft-pkcs11 library, not the opensc library. sorry about that.
and again thanks for the help. At this point I can successfully use
kinit to get tickets using a key pulled from soft-pkcs11. now I just
need to add a mechanism to soft-pkcs11 that has it require a login, and
uses the login pin to acquire credentials for the user. time to read up
a little more on pkcs11, and figure out how I'm going to be able to get
a username(principal) all the way from the heimdal library layer down to
the pkcs11 layer(maybe as a pkcs11 object attribute that is searched for?).
Just in case anyone cares, my goal here is to have a pkcs11 software
token that requires login to retrieve a user key/cert pair, and to upon
"login" to actually acquire the key/cert from a globus myproxy server.
I'm not sure if anyone else would be interested in additional hooks in
soft-pkcs11 to retrieve a credential from some external source requiring
a login, but if there's interest I'd be happy to make this as generic as
possible, and contribute it back.
>>thanks for the note aout --pkinit-use-dh, I'll try that out for now.
> I think I'll make using DH the default when I verify that my code written
> that parses the dh group info is correct.