[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit integration with smart card

Progress!  Thanks, Love and Doug!  I get output from according to the p11 logs for the signature.  That's great!

 $ kinit -C PKCS11:/usr/lib/pkcs11-spy.so
PIN code for ActivCard USB Reader 2.0 (60102D27) 00 00:
( Wrap Unwrap )
( Encrypt Decrypt Sign SigRecov Verify VerRecov Generate KeyPair Wrap Unwrap )
kinit: krb5_get_init_creds: Unknown error 569894

So that's a big hurdle gotten past.  I need to see where I'm hanging up on now, but I ran a quick packet capture and packets are getting sent the the domain controller.

Love Hörnquist Åstrand <lha@kth.se>
Sent by: owner-heimdal-discuss@sics.se

09/06/2006 05:02 AM

"Douglas E. Engert" <deengert@anl.gov>
malexander@kcp.com, heimdal-discuss@sics.se
Re: pkinit integration with smart card

6 sep 2006 kl. 00.04 skrev Douglas E. Engert:

> Love Hörnquist Åstrand wrote:
>> The standard say one login is enough for all session since they  
>> all  share
>> the same loginstate.
>> That said, I can belive you that this is the case, I've commited  
>> code  that should
>> deal with by keeping the session around. See next snapshot  
>> generated in
>> a couple of hours.
> Version 2.01 C_CloseSesion says: "When a sesion is closed, all session
> objects created by the sesion are destroyed automaticly, even if the
> application has other sessions "using" the objects".

I was more thinking about the login state, ever relised that closeing of
session change the objects too.

> I would infer that this may be the problem with the hKey object,
> as it was found using one session then was trying to be used in the
> other session, and the two sesisons where no open at the same time
> either.
> Sounds like you change should address this problem, and I hope .

I would guess so to, I changed the soft-pkcs11 to have
the close-session-invalidates-object behavior and with the simple
testing I did the new code worked.