[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit/opensc/soft-pkcs11

To: heimdal-discuss@sics.se
Subject: Re: pkinit/opensc/soft-pkcs11
From: "Matthew N. Andrews" <matt@slackers.net>
Date: Thu, 06 Oct 2005 09:48:55 -0700
In-Reply-To: <m2ll17ccia.fsf@dhcp-wavelan-v-222.publik.su.se>
References: <434329B9.9090401@slackers.net> <m2hdbwdp0y.fsf@dhcp-wavelan-v-222.publik.su.se> <4343F364.8020705@slackers.net> <m2ll17ccia.fsf@dhcp-wavelan-v-222.publik.su.se>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)

Love Hörnquist Åstrand wrote:
> Matthew Andrews <matt@slackers.net> writes:
> 
> 
>>Yes, I believe that the "Not Supported" error is orriginating in
>>soft-pkcs11. I was just trying to figure out how you would succesfully
>>use soft-pkcs11 with kinit if this was the case. is there a way to get
>>openssl to use the engine only for certain operations?
> 
> 
> I think the error is from this snippet of code in opensc's openssl engine.
> Its doesn't support rsa encryption. soft-pkcs11 does support rsa
> encryption.
> 
> static int
> pkcs11_rsa_encrypt(int flen, const unsigned char *from, unsigned char *to,
> 		   RSA * rsa, int padding)
> {
> 	/* PKCS11 calls go here */
> 	PKCS11err(PKCS11_F_PKCS11_RSA_ENCRYPT, PKCS11_NOT_SUPPORTED);
> 	return -1;
> }
> 
> 

you're absolutely right about this. I even walked through thisin gdb but 
it was late and I was getting tired, and sloppy and thought I was in the 
soft-pkcs11 library, not the opensc library. sorry about that.

and again thanks for the help. At this point I can successfully use 
kinit to get tickets using a key pulled from soft-pkcs11. now I just 
need to add a mechanism to soft-pkcs11 that has it require a login, and 
uses the login pin to acquire credentials for the user. time to read up 
a little more on pkcs11, and figure out how I'm going to be able to get 
a username(principal) all the way from the heimdal library layer down to 
the pkcs11 layer(maybe as a pkcs11 object attribute that is searched for?).

Just in case anyone cares, my goal here is to have a pkcs11 software 
token that requires login to retrieve a user key/cert pair, and to upon 
"login" to actually acquire the key/cert from a globus myproxy server.

I'm not sure if anyone else would be interested in additional hooks in 
soft-pkcs11 to retrieve a credential from some external source requiring 
a login, but if there's interest I'd be happy to make this as generic as 
possible, and contribute it back.

-Matt Andrews

>>thanks for the note aout --pkinit-use-dh, I'll try that out for now.
> 
> 
> I think I'll make using DH the default when I verify that my code written
> that parses the dh group info is correct.
> 
> Love
>

Follow-Ups:
- Re: pkinit/opensc/soft-pkcs11
  - From: "Douglas E. Engert" <deengert@anl.gov>

References:
- pkinit/opensc/soft-pkcs11
  - From: "Matthew N. Andrews" <matt@slackers.net>
- Re: pkinit/opensc/soft-pkcs11
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: pkinit/opensc/soft-pkcs11
  - From: Matthew Andrews <matt@slackers.net>
- Re: pkinit/opensc/soft-pkcs11
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: pkinit/opensc/soft-pkcs11
Next by Date: Re: pkinit/opensc/soft-pkcs11
Prev by thread: Re: pkinit/opensc/soft-pkcs11
Next by thread: Re: pkinit/opensc/soft-pkcs11
Index(es):
- Date
- Thread