[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit/opensc/soft-pkcs11





Matthew N. Andrews wrote:
> Love Hörnquist Åstrand wrote:
> 
>> Matthew Andrews <matt@slackers.net> writes:
>>
>>
>>> Yes, I believe that the "Not Supported" error is orriginating in
>>> soft-pkcs11. I was just trying to figure out how you would succesfully
>>> use soft-pkcs11 with kinit if this was the case. is there a way to get
>>> openssl to use the engine only for certain operations?
>>
>>
>>
>> I think the error is from this snippet of code in opensc's openssl 
>> engine.
>> Its doesn't support rsa encryption. soft-pkcs11 does support rsa
>> encryption.
>>
>> static int
>> pkcs11_rsa_encrypt(int flen, const unsigned char *from, unsigned char 
>> *to,
>>            RSA * rsa, int padding)
>> {
>>     /* PKCS11 calls go here */
>>     PKCS11err(PKCS11_F_PKCS11_RSA_ENCRYPT, PKCS11_NOT_SUPPORTED);
>>     return -1;
>> }
>>
>>
> 
> you're absolutely right about this. I even walked through thisin gdb but 
> it was late and I was getting tired, and sloppy and thought I was in the 
> soft-pkcs11 library, not the opensc library. sorry about that.
> 
> and again thanks for the help. At this point I can successfully use 
> kinit to get tickets using a key pulled from soft-pkcs11. now I just 
> need to add a mechanism to soft-pkcs11 that has it require a login, and 
> uses the login pin to acquire credentials for the user. time to read up 
> a little more on pkcs11, and figure out how I'm going to be able to get 
> a username(principal) all the way from the heimdal library layer down to 
> the pkcs11 layer(maybe as a pkcs11 object attribute that is searched for?).
> 
> Just in case anyone cares, my goal here is to have a pkcs11 software 
> token that requires login to retrieve a user key/cert pair, and to upon 
> "login" to actually acquire the key/cert from a globus myproxy server.

So how are you authenticating to the myproxy?
It is not clear why you are trying to do all of this from the the pkcs11.
It sounds like it should be multiple operations. Maybe via PAM.
Are going to use the "pin" to authenticate to the myproxy?

> 
> I'm not sure if anyone else would be interested in additional hooks in 
> soft-pkcs11 to retrieve a credential from some external source requiring 
> a login, but if there's interest I'd be happy to make this as generic as 
> possible, and contribute it back.
> 
> -Matt Andrews
> 
> 
> 
> 
>>> thanks for the note aout --pkinit-use-dh, I'll try that out for now.
>>
>>
>>
>> I think I'll make using DH the default when I verify that my code written
>> that parses the dh group info is correct.
>>
>> Love
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444