[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pkinit integration with smart card

Any idea as to why I would receive a CKR_FUNCTION_FAILED error on the C_Sign operation from PKCS11 module?  

I'm getting to the signature operation on the smart card for PKINIT when the kinit segment faults.  I used the pkcs11 spy library from OpenSC and the final operations it records with the card are:
33: C_OpenSession
[in] slotID = 0x1
[in] flags = 0x4
[out] *phSession = 0x806b860
Returned:  0 CKR_OK

34: C_SignInit
[in] hSession = 0x806b860
[in] hKey = 0x8052508
Returned:  0 CKR_OK

35: C_Sign
[in] hSession = 0x806b860
[in] pData[ulDataLen] [size : 0x23 (35)]
    30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D CA0160DF CEABACB2

I've been trying to get the pkinit functionality to work with the ActivCard Gold middleware product.  They provide the pkcs11 module; using this module I'm able to get it to work with SSH using a patch, but I have not had success with heimdal.

The module does not implement the CKA_PUBLIC_EXPONENT class.  Originally, the kinit aborts due to the missing exponent and so that's manually inserted to the value from the certificates on the Smart Card in the ks_p11.c.

rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
if (rsa->e == NULL)
        BN_dec2bn(&rsa->e, "65537");
if (rsa->e == NULL)
        _hx509_abort("CKA_PUBLIC_EXPONENT missing");

I've also changed the rsa->e to any number with the same results, so I'm wondering if I'm doing it right.