[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit integration with smart card

To: malexander@kcp.com
Subject: Re: pkinit integration with smart card
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Thu, 31 Aug 2006 13:41:48 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <OF92D44B96.E0BE030B-ON862571DB.00579652-862571DB.0057AAA2@kcp.com>
References: <OF92D44B96.E0BE030B-ON862571DB.00579652-862571DB.0057AAA2@kcp.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414

I have gotten the Heimdal to work with other OpenSC supported cards.

It could be that the card says it has the CKM_RSA_PKCS but really does
not or the pkcs11 lib is simulating CKM_RSA_PKCS and is having problems
doing the padding.  It might be possible to use the CKM_RSA_X_509 (raw)
mechanisum, by doing the PKCS padding first, then calling the C_Sign
functions.

Could also be that the pkcs11 is expecting the pSignature and pSignatureLen
to be set correctly, i.e. for a 1024 key, to a 128 byte buffer, and it is
returing the wrong error code.

If you can use the OpenSC spy, can you use the pkcs11-tool as well
pointing it at your PKCS11( -module <sharedlib>)? What mechanisums does
it say it has?



malexander@kcp.com wrote:

> Any idea as to why I would receive a CKR_FUNCTION_FAILED error on the 
> C_Sign operation from PKCS11 module? 
> 
> I'm getting to the signature operation on the smart card for PKINIT when 
> the kinit segment faults.  I used the pkcs11 spy library from OpenSC and 
> the final operations it records with the card are:
> 33: C_OpenSession
> [in] slotID = 0x1
> [in] flags = 0x4
> pApplication=(nil)
> Notify=(nil)
> [out] *phSession = 0x806b860
> Returned:  0 CKR_OK
> 
> 
> 34: C_SignInit
> [in] hSession = 0x806b860
> pMechanism->type=CKM_RSA_PKCS
> [in] hKey = 0x8052508
> Returned:  0 CKR_OK
> 
> 
> 35: C_Sign
> [in] hSession = 0x806b860
> [in] pData[ulDataLen] [size : 0x23 (35)]
>     30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D CA0160DF 
> CEABACB2
>     EB2E3F
> Returned:  6 CKR_FUNCTION_FAILED
> 
> I've been trying to get the pkinit functionality to work with the 
> ActivCard Gold middleware product.  They provide the pkcs11 module; using 
> this module I'm able to get it to work with SSH using a patch, but I have 
> not had success with heimdal.
> 
> The module does not implement the CKA_PUBLIC_EXPONENT class.  Originally, 
> the kinit aborts due to the missing exponent and so that's manually 
> inserted to the value from the certificates on the Smart Card in the 
> ks_p11.c.
> 
> rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
> if (rsa->e == NULL)
>         BN_dec2bn(&rsa->e, "65537");
> if (rsa->e == NULL)
>         _hx509_abort("CKA_PUBLIC_EXPONENT missing");
> 
> I've also changed the rsa->e to any number with the same results, so I'm 
> wondering if I'm doing it right.
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: pkinit integration with smart card
  - From: malexander@kcp.com
- Re: pkinit integration with smart card
  - From: malexander@kcp.com

References:
- pkinit integration with smart card
  - From: malexander@kcp.com

Prev by Date: pkinit integration with smart card
Next by Date: Re: pkinit integration with smart card
Prev by thread: pkinit integration with smart card
Next by thread: Re: pkinit integration with smart card
Index(es):
- Date
- Thread