pkinit integration with smart card

[malexander@kcp.com]

Any idea as to why I would receive a
CKR_FUNCTION_FAILED error on the C_Sign operation from PKCS11 module?  

I'm getting to the signature operation
on the smart card for PKINIT when the kinit segment faults.  I used
the pkcs11 spy library from OpenSC and the final operations it records
with the card are:
33: C_OpenSession
[in] slotID = 0x1
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x806b860
Returned:  0 CKR_OK


34: C_SignInit
[in] hSession = 0x806b860
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x8052508
Returned:  0 CKR_OK


35: C_Sign
[in] hSession = 0x806b860
[in] pData[ulDataLen] [size : 0x23 (35)]
    30213009 06052B0E 03021A05 00041496
9A0A7A5A 74DA942D CA0160DF CEABACB2
    EB2E3F
Returned:  6 CKR_FUNCTION_FAILED

I've been trying to get the pkinit functionality
to work with the ActivCard Gold middleware product.  They provide
the pkcs11 module; using this module I'm able to get it to work with SSH
using a patch, but I have not had success with heimdal.

The module does not implement the CKA_PUBLIC_EXPONENT
class.  Originally, the kinit aborts due to the missing exponent and
so that's manually inserted to the value from the certificates on the Smart
Card in the ks_p11.c.

rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
if (rsa->e == NULL)
        BN_dec2bn(&rsa->e,
"65537");
if (rsa->e == NULL)
        _hx509_abort("CKA_PUBLIC_EXPONENT
missing");

I've also changed the rsa->e to any
number with the same results, so I'm wondering if I'm doing it right.