[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit with smartcard



i apologize for a repeated message but i forgot to attach the files. 
take 2.
 
Olga Kornievskaia wrote:
> Thank you for this very useful info about the pkcs11-spy and 
> pkcs11-tool --module commands. here's what i can report back. heimdal 
> under pkcs11-spy simply works. without it fails with the message about 
> "failing to decrypt with the private key".
>
> i'm attaching two files: one is the pkcs11-spy output with heimdal. 
> another is output of various pkcs11-tool commands.
>
> i would really like to figure out why decryption doesn't work with 
> ActivCard so any suggestions as to what to try would be really greatly 
> appreciated.
>
> Douglas E. Engert wrote:
>> If you have the OpenSC pkcs11-spy which it looks like you do
>> this would also show what is going on even if the pkcs11 is not
>> the OpenSC pkcs11. using something like:
>>
>> PKCS11SPY="usr/local/acgold/lib/libpkcs11.so"
>> export PKCS11SPY
>>
>> /usr/heimdal/bin/kinit --pk-use-enckey \
>>   -C PKCS11:/usr/lib/pkcs11-spy.so \
>>    aglo@HEIMDAL.CITI.UMICH.EDU
>>
>> Olga Kornievskaia wrote:
>>
>>>
>>>
>>> Love Hörnquist Åstrand wrote:
>>>
>>>> How is the card configured, does the private key allow both 
>>>> encryption and signing ?
>>>
>>> well, i don't know much about smartcards part of it but i've been 
>>> told that the keys on the card show work for both signing and 
>>> encrypting.
>>>
>>>> You can get more info about the existance of the private key and 
>>>> some certificate
>>>> by using.
>>>>
>>>> hxtool print --info  PKCS11:/...
>>>
>>> i get:
>>> /usr/heimdal/bin/hxtool print --info 
>>> PKCS11:/usr/local/acgold/lib/libpkcs11.so
>>> hxtool: hx509_certs_init: Failed to get pin code for slot id 1 with 
>>> error: 569927
>>>
>>>> Love
>>>>
>>>> 11 dec 2006 kl. 19.53 skrev Olga Kornievskaia:
>>>>
>>>>> after applying the patch i got:
>>>>> kinit: krb5_get_init_creds: Failed to unenvelope CMS data in 
>>>>> PK-INIT reply: No private key decrypted the transfer key; Failed 
>>>>> to decrypt with certificate issued by CN=CITI Production 
>>>>> KCA,O=University of Michigan,L=Ann Arbor,2.5.4.8=Michigan,C=US 
>>>>> with serial number 0107BA; Failed to decrypt using private key: -1
>>>>>
>>>>>
>>>>> Love Hörnquist Åstrand wrote:
>>>>>
>>>>>>
>>>>>> 11 dec 2006 kl. 19.17 skrev Olga Kornievskaia:
>>>>>>
>>>>>>> pkcs11 module release while session in use
>>>>>>
>>>>>>
>>>>>> Ok, so I assume it failes signing or encryption. This should take 
>>>>>> way the abort
>>>>>> and show the real error
>>>>>>
>>>>>> http://people.su.se/~lha/patches/heimdal/hx509-fail-put.txt
>>>>>>
>>>>>> If this isn't the problem, please put a breakpoint in 
>>>>>> p11_get_session
>>>>>> to find where the last get_session occur before the abourt.
>>>>>>
>>>>>> Love
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
/usr/heimdal/bin/kinit --pk-use-enckey -C PKCS11:/usr/lib/pkcs11-spy.so aglo@AGLO.CITI.UMICH.EDU


*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/local/acgold/lib/libpkcs11.so"


0: C_GetFunctionList
Returned:  0 CKR_OK


1: C_Initialize
Returned:  0 CKR_OK


2: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 1
[out] *pulCount = 0x1
Returned:  0 CKR_OK


3: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned:  0 CKR_OK


4: C_GetSlotInfo
[in] slotID = 0x1
[out] pInfo:
      slotDescription:        'ActivCard USB Reader 2.0 (601024'
                              '19) 00 00                       '
      manufacturerID:         'Unknown MFR                     '
      hardwareVersion:         1.0
      firmwareVersion:         1.0
      flags:                   7
        CKF_TOKEN_PRESENT
        CKF_REMOVABLE_DEVICE
        CKF_HW_SLOT
Returned:  0 CKR_OK


5: C_GetTokenInfo
[in] slotID = 0x1
[out] pInfo:
      label:                  'ActivIdentity Smart Card        '
      manufacturerID:         'Unknown MFR                     '
      model:                  'Unknown Model   '
      serialNumber:           '1               '
      ulMaxSessionCount:       0
      ulSessionCount:          0
      ulMaxRwSessionCount:     0
      ulRwSessionCount:        0
      ulMaxPinLen:             8
      ulMinPinLen:             8
      ulTotalPublicMemory:     0
      ulFreePublicMemory:      0
      ulTotalPrivateMemory:    0
      ulFreePrivateMemory:     0
      hardwareVersion:         255.0
      firmwareVersion:         255.0
      time:                   '0000000000000000'
      flags:                   40d
        CKF_RNG
        CKF_LOGIN_REQUIRED
        CKF_USER_PIN_INITIALIZED
        CKF_TOKEN_INITIALIZED
Returned:  0 CKR_OK


6: C_OpenSession
[in] slotID = 0x1
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x929c148
Returned:  0 CKR_OK
PIN code for ActivCard USB Reader 2.0 (60102419) 00 00:


7: C_Login
[in] hSession = 0x929c148
[in] userType = CKU_USER
[in] pPin[ulPinLen] [size : 0x6 (6)]
    30303030 3030
Returned:  0 CKR_OK


8: C_GetMechanismList
[in] slotID = 0x1
[out] pMechanismList[2]:
Count is 2
Returned:  0 CKR_OK


9: C_GetMechanismList
[in] slotID = 0x1
[out] pMechanismList[2]:
 CKM_RSA_PKCS
 CKM_SHA1_RSA_PKCS
Returned:  0 CKR_OK


10: C_GetMechanismInfo
[in] slotID = 0x1
 CKM_RSA_PKCS
[out] pInfo:
CKM_RSA_PKCS                  : min:128 max:256 flags:0x60000 ( Wrap Unwrap )
Returned:  0 CKR_OK


11: C_GetMechanismInfo
[in] slotID = 0x1
 CKM_SHA1_RSA_PKCS
[out] pInfo:
CKM_SHA1_RSA_PKCS             : min:0 max:0 flags:0x7FB00 ( Encrypt Decrypt Sign SigRecov Verify VerRecov Generate KeyPair Wrap Unwrap )
Returned:  0 CKR_OK


12: C_FindObjectsInit
[in] hSession = 0x929c148
[in] pTemplate[1]:
    CKA_CLASS             CKO_PRIVATE_KEY
Returned:  0 CKR_OK


13: C_FindObjects
[in] hSession = 0x929c148
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 153732112 Matches
Returned:  0 CKR_OK


14: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
    CKA_ID                requested with 0 buffer
[out] pTemplate[1]:
    CKA_ID                has size 1
Returned:  0 CKR_OK


15: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
    CKA_ID                requested with 1 buffer
[out] pTemplate[1]:
    CKA_ID                [size : 0x1 (1)]
    03
Returned:  0 CKR_OK


16: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
    CKA_MODULUS           requested with 0 buffer
[out] pTemplate[1]:
    CKA_MODULUS           has size 128
Returned:  0 CKR_OK


17: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
    CKA_MODULUS           requested with 128 buffer
[out] pTemplate[1]:
    CKA_MODULUS           [size : 0x80 (128)]
    C21B643A 35508347 AF672FE6 19AA6818 B9E3CE02 F6F4136D 3952D339 EC9A65DB
    89F6A0C2 38F01CF5 DE15E056 1FFAA678 CA9F8368 533F74DB 9BE2BD13 A399B4D5
    42ACBB0F 0ECA8989 D05340C9 D9671894 DE3F0E3E E671D57B E53CDFB8 46962322
    002EA7AF D89C02AC 070131FC 052D0A6F 524E1147 17CD3258 19A0D9BB 39B8AFA5
Returned:  0 CKR_OK


18: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
    CKA_PUBLIC_EXPONENT   requested with 0 buffer
[out] pTemplate[1]:
    CKA_PUBLIC_EXPONENT   has size -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID


19: C_FindObjects
[in] hSession = 0x929c148
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned:  0 CKR_OK


20: C_FindObjectsFinal
[in] hSession = 0x929c148
Returned:  0 CKR_OK


21: C_FindObjectsInit
[in] hSession = 0x929c148
[in] pTemplate[1]:
    CKA_CLASS             CKO_CERTIFICATE
Returned:  0 CKR_OK


22: C_FindObjects
[in] hSession = 0x929c148
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 153789088 Matches
Returned:  0 CKR_OK


23: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x92aa2a0
[in] pTemplate[3]:
    CKA_ID                requested with 1 buffer
    CKA_VALUE             requested with 0 buffer
    CKA_LABEL             requested with 0 buffer
[out] pTemplate[3]:
    CKA_ID                has size 1
    CKA_VALUE             has size 1328
    CKA_LABEL             has size 12
Returned:  0 CKR_OK


24: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x92aa2a0
[in] pTemplate[3]:
    CKA_ID                requested with 1 buffer
    CKA_VALUE             requested with 1328 buffer
    CKA_LABEL             requested with 12 buffer
[out] pTemplate[3]:
    CKA_ID                [size : 0x1 (1)]
    03
    CKA_VALUE             [size : 0x530 (1328)]
    3082052C 30820414 A0030201 02020301 07BA300D 06092A86 4886F70D 01010505
    00307331 0B300906 03550406 13025553 3111300F 06035504 0813084D 69636869
    67616E31 12301006 03550407 1309416E 6E204172 626F7231 1F301D06 0355040A
    1316556E 69766572 73697479 206F6620 4D696368 6967616E 311C301A 06035504
    03131343 49544920 50726F64 75637469 6F6E204B 4341301E 170D3036 31313131
    30303233 35325A17 0D303731 31313130 30323335 325A3081 B3310B30 09060355
    04061302 55533111 300F0603 55040813 084D6963 68696761 6E311230 10060355
    04071309 416E6E20 4172626F 72311F30 1D060355 040A1316 556E6976 65727369
    7479206F 66204D69 63686967 616E311C 301A0603 55040B13 13434954 49205072
    6F647563 74696F6E 204B4341 311A3018 06035504 0313114F 6C676120 4B6F726E
    69657673 6B616961 31223020 06092A86 4886F70D 01090116 1361676C 6F406369
    74692E75 6D696368 2E656475 30819F30 0D06092A 864886F7 0D010101 05000381
    8D003081 89028181 00C21B64 3A355083 47AF672F E619AA68 18B9E3CE 02F6F413
    6D3952D3 39EC9A65 DB89F6A0 C238F01C F5DE15E0 561FFAA6 78CA9F83 68533F74
    DB9BE2BD 13A399B4 D542ACBB 0F0ECA89 89D05340 C9D96718 94DE3F0E 3EE671D5
    7BE53CDF B8469623 22002EA7 AFD89C02 AC070131 FC052D0A 6F524E11 4717CD32
    5819A0D9 BB39B8AF A5020301 0001A382 020A3082 02063009 0603551D 13040230
    00301106 09608648 0186F842 01010404 03020780 300B0603 551D0F04 04030205
    A0301E06 03551D25 04173015 060A2B06 01040182 37140202 06072B06 01050203
    04302C06 09608648 0186F842 010D041F 161D4F70 656E5353 4C204765 6E657261
    74656420 43657274 69666963 61746530 53060355 1D1F044C 304A3048 A046A044
    86426874 74703A2F 2F777777 2E636974 692E756D 6963682E 6564752F 70726F6A
    65637473 2F706B69 6E69742F 63697469 5F70726F 64756374 696F6E5F 63726C73
    2E63726C 301D0603 551D0E04 160414C2 4B0CBD9F 16507DE3 3616E967 5AEF89BC
    33CE2330 819E0603 551D2304 81963081 93801465 CC2C0A2E D3582FC7 170973E4
    EF6ADFD3 407C30A1 77A47530 73310B30 09060355 04061302 55533111 300F0603
    55040813 084D6963 68696761 6E311230 10060355 04071309 416E6E20 4172626F
    72311F30 1D060355 040A1316 556E6976 65727369 7479206F 66204D69 63686967
    616E311C 301A0603 55040313 13434954 49205072 6F647563 74696F6E 204B4341
    820234EB 306B0603 551D1104 643062A0 3606062B 06010502 02A02C30 2AA0151B
    1341474C 4F2E4349 54492E55 4D494348 2E454455 A111300F A0030201 01A10830
    061B0461 676C6FA0 28060A2B 06010401 82371402 03A01A0C 1861676C 6F404147
    4C4F2E43 4954492E 554D4943 482E4544 55300906 03551D12 04023000 300D0609
    2A864886 F70D0101 05050003 82010100 52B433B1 53E2632A 3F274EDC BF36ED03
    03342E6E 7C9DB161 8942CC71 4423573A 4640E2A7 58E4A6C5 BD52EEF8 C4D54915
    337837F5 FAA2F523 FE977999 DF1C8AED BA9F7984 D6AABEA9 67D40071 42DDB24A
    80028379 ACD101E0 1079DB53 4A5BCBE7 B835FA57 2090012C 63C8CE11 5B6AD1AD
    CEB182A1 18490E7A 701AD055 8DBCBEA7 8410EA5F 06B1BA7E 534CF7A7 5F1F3C31
    58EBDFE6 22796BA3 B4520B38 8A810EED D2BB7658 63F44E6D C4D6C7D0 594CA536
    853BBF27 D6A16C69 0597D18D 3FC79D6F B79302A3 51E8DBCA 584A5698 4B0EAF66
    57C5FB94 42ECF37E 37279547 5E9CE0C6 A316B203 E582DE45 4E8EC7FC AF59EF9B
    8C4980F9 8EBD662F 0DC16C3B B88CAC30
    CKA_LABEL             [size : 0xC (12)]
    43657274 69666963 61746531
     C e r t  i f i c  a t e 1
Returned:  0 CKR_OK


25: C_FindObjects
[in] hSession = 0x929c148
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned:  0 CKR_OK


26: C_FindObjectsFinal
[in] hSession = 0x929c148
Returned:  0 CKR_OK


27: C_SignInit
[in] hSession = 0x929c148
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x929c410
Returned:  0 CKR_OK


28: C_Sign
[in] hSession = 0x929c148
[in] pData[ulDataLen] [size : 0x23 (35)]
    30213009 06052B0E 03021A05 000414DD 1B675E4A 0FA98BAC D4DEBA5F CB597DDE
    F98BB1
[out] pSignature[*pulSignatureLen] [size : 0x80 (128)]
    120F79E4 4A642640 FDB6F8DD 32EFA86B 5D497F86 419D5607 249609CD 19294E59
    F0F595AB 259FDFAE 7D1D198A 64ABB148 19C030DA 7F344D04 DB0EF927 12D84D8A
    A30F206B F157549A 59749263 C81B0B79 06BAF91D 9052D5A1 D0D4F14D C40DD942
    015E0882 FC371E46 2410BF35 C42DDA2A CA0AC1EC 21C60D56 C6C3E2E4 B9BE1511
Returned:  0 CKR_OK


29: C_DecryptInit
[in] hSession = 0x929c148
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x929c410
Returned:  0 CKR_OK


30: C_Decrypt
[in] hSession = 0x929c148
[in] pEncryptedData[ulEncryptedDataLen] [size : 0x80 (128)]
    38D5F203 632CE669 A834044B E831D263 0E9572A7 02BB2FB8 48D6A41F E3B68D73
    775ACBFC 935F5EFC 6C961BDD 79A4666B D4B6D090 D9511D5F 0FD632F6 B3D2BF09
    F70EC204 26D39BB0 C0AF1164 E457ED4C F8078266 40CD94DA 85FB43A5 31A8B3A4
    002A6705 4264D06C AEED4267 D44DE524 6934021E 69FE9786 F3BA7AB2 FD08062B
[out] pData[*pulDataLen] [size : 0x18 (24)]
    A416012F D38C8CBF C24F6D08 7C4ACBA2 5464A48A B03E43EF
Returned:  0 CKR_OK


31: C_CloseSession
[in] hSession = 0x929c148
Returned:  0 CKR_OK


32: C_Finalize
Returned:  0 CKR_OK

 kcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -O
warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Public Key Object; unknown key algorithm 159299576
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

  ID:         03
warning: PKCS11 function C_GetAttributeValue(ENCRYPT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(VERIFY) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

warning: PKCS11 function C_GetAttributeValue(WRAP) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

  Usage:      encrypt, verify, wrap
Certificate Object, type = X.509 cert
  label:      Certificate1
  ID:         03
Private Key Object; RSA
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

  ID:         03
  Usage:      decrypt, sign, unwrap

------------------------------------------------------------------------------
pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -L
Available slots:
Slot 1           ActivCard USB Reader 2.0 (60102419) 00 00
  token label:   ActivIdentity Smart Card
  token manuf:   Unknown MFR
  token model:   Unknown Model
  token flags:   rng, login required, PIN initialized, token initialized
  serial num  :  1

------------------------------------------------------------------------------
pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -M
Supported mechanisms:
  RSA-PKCS, wrap, unwrap, other flags=0x20000
  SHA1-RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt, keypairgen, other flags=0x2d000