[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: pkinit integration with smart card

To: heimdal-discuss@sics.se
Subject: Fwd: pkinit integration with smart card
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Fri, 1 Sep 2006 15:16:06 +0200
References: <E2989597-11E0-4395-830D-13DAE0B906A0@kth.se>
Sender: owner-heimdal-discuss@sics.se



Vidarebefordrat brev:

> Från: Love Hörnquist Åstrand <lha@kth.se>
> Datum: fredag 1 sep 2006 15.15.41 GMT+02:00
> Till: malexander@kcp.com
> Ämne: Re: pkinit integration with smart card
>
> The pkcs11 code in heimdal assumes that the library supports  
> CKM_RSA_PKCS,
> I guess I'm quite wrong in that assumption is generally true.
>
> I hope this isn't a smartcard with a slow cpu or slow pipe,  
> otherwise it going to suck
> to push over the data to sign to the card. It might be so that we  
> have some luck
> in the Kerberos PK-INIT profile mandates signedAttrs, and that will  
> cut down the data
> to 100-200byte from multi KB.
>
> The crypto glue in hx509 needs some refactoring if you can't get  
> your card to do CKM_RSA_PKCS11.
>
> Love
>
>
>
>
> 31 aug 2006 kl. 23.12 skrev malexander@kcp.com:
>
>>
>> Thanks for the response.  Complely new to these low level points  
>> with the Smart Card so I've been looking up some terms, I  
>> appreciate the advice.
>>
>> I looked at the PKCS11-tool output first:
>> pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so  -M   
>> Supported mechanisms:
>>   RSA-PKCS, wrap, unwrap, other flags=0x20000
>>   SHA1-RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt,  
>> keypairgen, other flags=0x2d000
>>
>> The length of the destination buffer is 128 bytes.  The length of  
>> the signature in pData is 35 bytes.  Is the CKM_RSA_X_509  
>> mechanism a tool of the Card?  Should/could the pData for  
>> signature be padded to 128 with a method external to the card?
>>
>>
>>
>>
>> "Douglas E. Engert" <deengert@anl.gov>
>> Sent by: owner-heimdal-discuss@sics.se
>> 08/31/2006 01:41 PM
>>
>> To
>> malexander@kcp.com
>> cc
>> heimdal-discuss@sics.se
>> Subject
>> Re: pkinit integration with smart card
>>
>>
>>
>>
>>
>> I have gotten the Heimdal to work with other OpenSC supported cards.
>>
>> It could be that the card says it has the CKM_RSA_PKCS but really  
>> does
>> not or the pkcs11 lib is simulating CKM_RSA_PKCS and is having  
>> problems
>> doing the padding.  It might be possible to use the CKM_RSA_X_509  
>> (raw)
>> mechanisum, by doing the PKCS padding first, then calling the C_Sign
>> functions.
>>
>> Could also be that the pkcs11 is expecting the pSignature and  
>> pSignatureLen
>> to be set correctly, i.e. for a 1024 key, to a 128 byte buffer,  
>> and it is
>> returing the wrong error code.
>>
>> If you can use the OpenSC spy, can you use the pkcs11-tool as well
>> pointing it at your PKCS11( -module <sharedlib>)? What mechanisums  
>> does
>> it say it has?
>>
>>
>>
>> malexander@kcp.com wrote:
>>
>> > Any idea as to why I would receive a CKR_FUNCTION_FAILED error  
>> on the
>> > C_Sign operation from PKCS11 module?
>> >
>> > I'm getting to the signature operation on the smart card for  
>> PKINIT when
>> > the kinit segment faults.  I used the pkcs11 spy library from  
>> OpenSC and
>> > the final operations it records with the card are:
>> > 33: C_OpenSession
>> > [in] slotID = 0x1
>> > [in] flags = 0x4
>> > pApplication=(nil)
>> > Notify=(nil)
>> > [out] *phSession = 0x806b860
>> > Returned:  0 CKR_OK
>> >
>> >
>> > 34: C_SignInit
>> > [in] hSession = 0x806b860
>> > pMechanism->type=CKM_RSA_PKCS
>> > [in] hKey = 0x8052508
>> > Returned:  0 CKR_OK
>> >
>> >
>> > 35: C_Sign
>> > [in] hSession = 0x806b860
>> > [in] pData[ulDataLen] [size : 0x23 (35)]
>> >     30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D CA0160DF
>> > CEABACB2
>> >     EB2E3F
>> > Returned:  6 CKR_FUNCTION_FAILED
>> >
>> > I've been trying to get the pkinit functionality to work with the
>> > ActivCard Gold middleware product.  They provide the pkcs11  
>> module; using
>> > this module I'm able to get it to work with SSH using a patch,  
>> but I have
>> > not had success with heimdal.
>> >
>> > The module does not implement the CKA_PUBLIC_EXPONENT class.   
>> Originally,
>> > the kinit aborts due to the missing exponent and so that's manually
>> > inserted to the value from the certificates on the Smart Card in  
>> the
>> > ks_p11.c.
>> >
>> > rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
>> > if (rsa->e == NULL)
>> >         BN_dec2bn(&rsa->e, "65537");
>> > if (rsa->e == NULL)
>> >         _hx509_abort("CKA_PUBLIC_EXPONENT missing");
>> >
>> > I've also changed the rsa->e to any number with the same  
>> results, so I'm
>> > wondering if I'm doing it right.
>> >
>>
>> -- 
>>
>>  Douglas E. Engert  <DEEngert@anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>>
>

Prev by Date: Java HTTP client doesn't work with Heimdal ccache file
Next by Date: Re: pkinit integration with smart card
Prev by thread: Re: Java HTTP client doesn't work with Heimdal ccache file
Next by thread: Re: pkinit integration with smart card
Index(es):
- Date
- Thread