[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit/opensc/soft-pkcs11

Love Hörnquist Åstrand wrote:
> Matthew Andrews <matt@slackers.net> writes:
>>Yes, I believe that the "Not Supported" error is orriginating in
>>soft-pkcs11. I was just trying to figure out how you would succesfully
>>use soft-pkcs11 with kinit if this was the case. is there a way to get
>>openssl to use the engine only for certain operations?
> I think the error is from this snippet of code in opensc's openssl engine.
> Its doesn't support rsa encryption. soft-pkcs11 does support rsa
> encryption.
> static int
> pkcs11_rsa_encrypt(int flen, const unsigned char *from, unsigned char *to,
> 		   RSA * rsa, int padding)
> {
> 	/* PKCS11 calls go here */
> 	return -1;
> }

you're absolutely right about this. I even walked through thisin gdb but 
it was late and I was getting tired, and sloppy and thought I was in the 
soft-pkcs11 library, not the opensc library. sorry about that.

and again thanks for the help. At this point I can successfully use 
kinit to get tickets using a key pulled from soft-pkcs11. now I just 
need to add a mechanism to soft-pkcs11 that has it require a login, and 
uses the login pin to acquire credentials for the user. time to read up 
a little more on pkcs11, and figure out how I'm going to be able to get 
a username(principal) all the way from the heimdal library layer down to 
the pkcs11 layer(maybe as a pkcs11 object attribute that is searched for?).

Just in case anyone cares, my goal here is to have a pkcs11 software 
token that requires login to retrieve a user key/cert pair, and to upon 
"login" to actually acquire the key/cert from a globus myproxy server.

I'm not sure if anyone else would be interested in additional hooks in 
soft-pkcs11 to retrieve a credential from some external source requiring 
a login, but if there's interest I'd be happy to make this as generic as 
possible, and contribute it back.

-Matt Andrews

>>thanks for the note aout --pkinit-use-dh, I'll try that out for now.
> I think I'll make using DH the default when I verify that my code written
> that parses the dh group info is correct.
> Love