Interestingly when I use the patch for
OpenSSH (http://alon.barlev.googlepages.com/openssh-pkcs11) that enables
PKCS11 it does work.
The in data for both heimdal pkinit
and SSH are a lenght of 35 bytes. The last two entries from the PKCS11
Spy output are:
37: C_SignInit [in] hSession = 0x812c988 pMechanism->type=CKM_RSA_PKCS [in] hKey = 0x814c998 Returned: 0 CKR_OK
"Douglas E. Engert"
<deengert@anl.gov> Sent by: owner-heimdal-discuss@sics.se
08/31/2006 01:41 PM
To
malexander@kcp.com
cc
heimdal-discuss@sics.se
Subject
Re: pkinit integration with smart card
I have gotten the Heimdal to work with other OpenSC
supported cards.
It could be that the card says it has the CKM_RSA_PKCS but really does
not or the pkcs11 lib is simulating CKM_RSA_PKCS and is having problems
doing the padding. It might be possible to use the CKM_RSA_X_509
(raw)
mechanisum, by doing the PKCS padding first, then calling the C_Sign
functions.
Could also be that the pkcs11 is expecting the pSignature and pSignatureLen
to be set correctly, i.e. for a 1024 key, to a 128 byte buffer, and it
is
returing the wrong error code.
If you can use the OpenSC spy, can you use the pkcs11-tool as well
pointing it at your PKCS11( -module <sharedlib>)? What mechanisums
does
it say it has?
malexander@kcp.com wrote:
> Any idea as to why I would receive a CKR_FUNCTION_FAILED error on
the
> C_Sign operation from PKCS11 module?
>
> I'm getting to the signature operation on the smart card for PKINIT
when
> the kinit segment faults. I used the pkcs11 spy library from
OpenSC and
> the final operations it records with the card are:
> 33: C_OpenSession
> [in] slotID = 0x1
> [in] flags = 0x4
> pApplication=(nil)
> Notify=(nil)
> [out] *phSession = 0x806b860
> Returned: 0 CKR_OK
>
>
> 34: C_SignInit
> [in] hSession = 0x806b860
> pMechanism->type=CKM_RSA_PKCS
> [in] hKey = 0x8052508
> Returned: 0 CKR_OK
>
>
> 35: C_Sign
> [in] hSession = 0x806b860
> [in] pData[ulDataLen] [size : 0x23 (35)]
> 30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D
CA0160DF
> CEABACB2
> EB2E3F
> Returned: 6 CKR_FUNCTION_FAILED
>
> I've been trying to get the pkinit functionality to work with the
> ActivCard Gold middleware product. They provide the pkcs11 module;
using
> this module I'm able to get it to work with SSH using a patch, but
I have
> not had success with heimdal.
>
> The module does not implement the CKA_PUBLIC_EXPONENT class. Originally,
> the kinit aborts due to the missing exponent and so that's manually
> inserted to the value from the certificates on the Smart Card in the
> ks_p11.c.
>
> rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
> if (rsa->e == NULL)
> BN_dec2bn(&rsa->e, "65537");
> if (rsa->e == NULL)
> _hx509_abort("CKA_PUBLIC_EXPONENT
missing");
>
> I've also changed the rsa->e to any number with the same results,
so I'm
> wondering if I'm doing it right.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444