[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit integration with smart card

Thanks for the response.  Complely new to these low level points with the Smart Card so I've been looking up some terms, I appreciate the advice.

I looked at the PKCS11-tool output first:
pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so  -M  Supported mechanisms:
  RSA-PKCS, wrap, unwrap, other flags=0x20000
  SHA1-RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt, keypairgen, other flags=0x2d000

The length of the destination buffer is 128 bytes.  The length of the signature in pData is 35 bytes.  Is the CKM_RSA_X_509 mechanism a tool of the Card?  Should/could the pData for signature be padded to 128 with a method external to the card?

"Douglas E. Engert" <deengert@anl.gov>
Sent by: owner-heimdal-discuss@sics.se

08/31/2006 01:41 PM

Re: pkinit integration with smart card

I have gotten the Heimdal to work with other OpenSC supported cards.

It could be that the card says it has the CKM_RSA_PKCS but really does
not or the pkcs11 lib is simulating CKM_RSA_PKCS and is having problems
doing the padding.  It might be possible to use the CKM_RSA_X_509 (raw)
mechanisum, by doing the PKCS padding first, then calling the C_Sign

Could also be that the pkcs11 is expecting the pSignature and pSignatureLen
to be set correctly, i.e. for a 1024 key, to a 128 byte buffer, and it is
returing the wrong error code.

If you can use the OpenSC spy, can you use the pkcs11-tool as well
pointing it at your PKCS11( -module <sharedlib>)? What mechanisums does
it say it has?

malexander@kcp.com wrote:

> Any idea as to why I would receive a CKR_FUNCTION_FAILED error on the
> C_Sign operation from PKCS11 module?
> I'm getting to the signature operation on the smart card for PKINIT when
> the kinit segment faults.  I used the pkcs11 spy library from OpenSC and
> the final operations it records with the card are:
> 33: C_OpenSession
> [in] slotID = 0x1
> [in] flags = 0x4
> pApplication=(nil)
> Notify=(nil)
> [out] *phSession = 0x806b860
> Returned:  0 CKR_OK
> 34: C_SignInit
> [in] hSession = 0x806b860
> pMechanism->type=CKM_RSA_PKCS
> [in] hKey = 0x8052508
> Returned:  0 CKR_OK
> 35: C_Sign
> [in] hSession = 0x806b860
> [in] pData[ulDataLen] [size : 0x23 (35)]
>     30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D CA0160DF
>     EB2E3F
> I've been trying to get the pkinit functionality to work with the
> ActivCard Gold middleware product.  They provide the pkcs11 module; using
> this module I'm able to get it to work with SSH using a patch, but I have
> not had success with heimdal.
> The module does not implement the CKA_PUBLIC_EXPONENT class.  Originally,
> the kinit aborts due to the missing exponent and so that's manually
> inserted to the value from the certificates on the Smart Card in the
> ks_p11.c.
> rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
> if (rsa->e == NULL)
>         BN_dec2bn(&rsa->e, "65537");
> if (rsa->e == NULL)
>         _hx509_abort("CKA_PUBLIC_EXPONENT missing");
> I've also changed the rsa->e to any number with the same results, so I'm
> wondering if I'm doing it right.


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444