[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pkinit/opensc/soft-pkcs11
Matthew N. Andrews wrote:
> so after wrestling with a mass of linking problems I seem to finally
> have openssl, heimdal, opensc, and soft-pkcs11 all built with debugging
> and without optimization(YAY!). now however I'm still having some
> trouble getting it all to work.
>
> when I run "kinit -C
> ENGINE:ENGINE=dynamic,PRE=SO_PATH:/opt/opensc-0.9.6/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/local/lib/soft-pkcs11.so,CERT=/tmp/x509up_u31765,KEY=slot_0
> ma3d"
>
With the cert in /tmp/x509up_u31765 it looks like you are trying to
use a Globus proxy cert. The private key sould also be in the same file
so it is not clear why you need the engine or pkcs11 at all. Try changing
KEY=slot_0 to KEY=/tmp/x509up_u31765.
> I get the following error:
> kinit: krb5_get_init_creds: Can't decrypt key: error:2A008404:PKCS11
> library:PKCS11_rsa_decrypt:Not supported
>
> now this seems to be a case of openssl trying to use the engine that was
> loaded to decrypt something which soft-pkcs11 does not do. Is this
> supposed to fail in this way?
>
> Love, I notice that you have this error on your pkinit for heimdal page.
> Is it currently possible to use soft-pkcs11 with heimdal pkinit?
>
> Just fyi I'm using heimdal-20050927, opensc-0.9.6, openssl-0.9.8, and
> soft-pkcs11-1.3.
>
> (I could have sworn I saw this work once, but then again I might just be
> completely halucinating after spending 3 out of the last four days on
> this stuff.)
>
> -Matt
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444