[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal pkinit compiling on debian



"Prágai, Róbert" <pragai@rubin.hu> writes:

> Now everything works smoothly.

Cool

> Next chapter:
> 
> I plan to include support for OpenSC smartcard library to use
> smartcards for PKINIT. It does not seem to be too hard if I understand
> the code well: basically I should modify the _krb5_pk_load_openssl_id
> function, which loads the private key and the certificate and the
> _krb5_pk_create_sign function which creates the signature needed for
> authentication.

I've been working on rewriting the cms function in the pkinit patch to make
it easier to use (and reuse) them. Part of why I'm doing this is to make it
simpler for the pkinit code to find the right certificate to use.

> My questions:
> - AFAIK there were some smartcard functionalities in the former pkinit
> patch. Is that approach usable here (so can I use that code as a basic
> approach), or it is depicated and the work should be started from the
> scratch?

I'm not sure how useable it is given its for a specific card. I think it
should be possible to glue in. However, I think that either using opensc
crypto function or the opensc pkcs11 module (either directly or via
openssl).

> - As there will be no "loading of private key" as there is practically
> no way to get the private key out of the card, is there a common way
> to notify the _krb5_pk_create_sign function that the signature
> creation should be done in a different way? Or should I invent a new
> method?

The "load" is somewhat misnamed, its more of a configuration option, "here
you find the private key", the current code assumes that there there is a
openssl EVP_PKEY (RSA is assumed) that its possible to do EVP_Sign() and
EVP_PKEY_decrypt() with.

So if you change the code to support something more then "FILE:" that would
be ok. Something like

OPENSSL-ENGINE:modulename,/path/to/module.so,key_id,/path/to/certifitate.pem

I've yet to see a way to get hold of the CA certificate and certificate
itself that lives on the smartcard though openssl's api, so I don't really
like this solution, but I'm sure it will be the fastest way to get it
working.

If you decides to work on the pkcs11 solution, I've got both pkcs11 code
that might be a good start, and some time a ago I wrote a pkcs11 software
module (http://people.su.se/~lha/soft-pkcs11/) so I don't need to carry
around the smartcard reader all the time. Note that the rsa keybindling is
turned off since it makes it not work when running inside mozilla.

> - Is it OK if I use a new #define statement in the config.h like #define
> UseOpenSC 1 ,as PKINIT works this way?

Sure is. But its best if its possible do dynamicly loadable the code, but
don't worry about that now, I'll modify any code you'll contribute to meet
my requirements.

Love