[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal pkinit compiling on debian
Love <lha@stacken.kth.se> writes:
> "Prágai, Róbert" <pragai@rubin.hu> writes:
>> - As there will be no "loading of private key" as there is practically
>> no way to get the private key out of the card, is there a common way
>> to notify the _krb5_pk_create_sign function that the signature
>> creation should be done in a different way? Or should I invent a new
>> method?
[...]
> OPENSSL-ENGINE:modulename,/path/to/module.so,key_id,/path/to/certifitate.pem
I just wrote some code to support openssl engines, tonight snapshot will
include it;
Using opensc pkcs11 engine using my softtoken:
./kinit --no-addr -C \
ENGINE:ENGINE=dynamic,PRE=SO_PATH:/sources/opensc/dest0.9.2/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/home/lha/src/cvs/soft-pkcs11/o/.libs/soft-pkcs11.so,CERT=/secure/lha/l.nxs.se/CA/lha.crt,KEY=slot_0 \
lha@N.L.NXS.SE
or
./kinit --no-addr -C ENGINE:CERT=/secure/lha/l.nxs.se/CA/lha.crt,KEY=slot_0 \
lha@N.L.NXS.SE
this in krb5.conf
[libdefaults]
pkinit-openssl-engine = ENGINE=dynamic,PRE=SO_PATH:/sources/opensc/dest0.9.2/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/home/lha/src/cvs/soft-pkcs11/o/.libs/soft-pkcs11.so
my .softtoken.rc looks like this:
: lha@nutcracker ; cat ~/.soft-token.rc
# Separator is \t
# fields are id, label, cert file[, optional keyfile]
lha Love's certificate /path/lha.crt /path/lha-no-pw.key
anchor L.NXS.SE CA /path/CA/ca.crt
It all failes with
kinit: krb5_get_init_creds: Can't decrypt key: error:2A008404:PKCS11 library:PKCS11_rsa_decrypt:Not supported
because opensc doesn't implement rsa encryption/decryption in their openssl
pkcs11 engine module, that shouldn't be too hard to add.
I also updated http://people.su.se/~lha/patches/heimdal/pkinit/ to explain
what all the options mean.
Love
PGP signature