[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit integration with smart card

6 sep 2006 kl. 17.12 skrev malexander@kcp.com:

Progress!  Thanks, Love and Doug!  I get output from according to the p11 logs for the signature.  That's great!

 $ kinit -C PKCS11:/usr/lib/pkcs11-spy.so
PIN code for ActivCard USB Reader 2.0 (60102D27) 00 00:
( Wrap Unwrap )
( Encrypt Decrypt Sign SigRecov Verify VerRecov Generate KeyPair Wrap Unwrap )
kinit: krb5_get_init_creds: Unknown error 569894

So that's a big hurdle gotten past.  I need to see where I'm hanging up on now, but I ran a quick packet capture and packets are getting sent the the domain controller. 

that error is HX509_CMS_NO_RECIPIENT_CERTIFICATE and it means that the
CMS lib doesn't find the certificate that made the signature/encryption. I assume
DH is used, so that would be signature then.

I need to add more debug message to figure out, but inf you can run gdb on kinit
and try to figure out why find_CMSIdentifier() doesn't find the certificate (if its even passed
back from the KDC).