[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit integration with smart card




Interestingly when I use the patch for OpenSSH (http://alon.barlev.googlepages.com/openssh-pkcs11) that enables PKCS11 it does work.

The in data for both heimdal pkinit and SSH are a lenght of 35 bytes.  The last two entries from the PKCS11 Spy output are:
37: C_SignInit
[in] hSession = 0x812c988
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x814c998
Returned:  0 CKR_OK


38: C_Sign
[in] hSession = 0x812c988
[in] pData[ulDataLen] [size : 0x23 (35)]
    30213009 06052B0E 03021A05 00041477 B815C0A7 F509B19F E6F409FD 6F04DBE3
    9BDEAE
[out] pSignature[*pulSignatureLen] [size : 0x80 (128)]
    85DAB1D8 8D06583C 91E4B1F4 6E51C720 CFEA95FD 6F437335 E7AC180B 559AAFAB
    444E8B3D 6CC78BB4 0C992D5D 69FBAA9E 70FC77B0 7A7F64CC E20B562B 8EEB19D0
    03F1CC37 CE1AEBBA B724313F 350048CB DF152A4E A91B6AEB 72839AB6 C38D2F79
    3B5A4AEF FA66E363 54AEADA0 C1C0622E 20270162 F92AFDAA A794E56D 2CB4C7E9
Returned:  0 CKR_OK



"Douglas E. Engert" <deengert@anl.gov>
Sent by: owner-heimdal-discuss@sics.se

08/31/2006 01:41 PM

To
malexander@kcp.com
cc
heimdal-discuss@sics.se
Subject
Re: pkinit integration with smart card





I have gotten the Heimdal to work with other OpenSC supported cards.

It could be that the card says it has the CKM_RSA_PKCS but really does
not or the pkcs11 lib is simulating CKM_RSA_PKCS and is having problems
doing the padding.  It might be possible to use the CKM_RSA_X_509 (raw)
mechanisum, by doing the PKCS padding first, then calling the C_Sign
functions.

Could also be that the pkcs11 is expecting the pSignature and pSignatureLen
to be set correctly, i.e. for a 1024 key, to a 128 byte buffer, and it is
returing the wrong error code.

If you can use the OpenSC spy, can you use the pkcs11-tool as well
pointing it at your PKCS11( -module <sharedlib>)? What mechanisums does
it say it has?



malexander@kcp.com wrote:

> Any idea as to why I would receive a CKR_FUNCTION_FAILED error on the
> C_Sign operation from PKCS11 module?
>
> I'm getting to the signature operation on the smart card for PKINIT when
> the kinit segment faults.  I used the pkcs11 spy library from OpenSC and
> the final operations it records with the card are:
> 33: C_OpenSession
> [in] slotID = 0x1
> [in] flags = 0x4
> pApplication=(nil)
> Notify=(nil)
> [out] *phSession = 0x806b860
> Returned:  0 CKR_OK
>
>
> 34: C_SignInit
> [in] hSession = 0x806b860
> pMechanism->type=CKM_RSA_PKCS
> [in] hKey = 0x8052508
> Returned:  0 CKR_OK
>
>
> 35: C_Sign
> [in] hSession = 0x806b860
> [in] pData[ulDataLen] [size : 0x23 (35)]
>     30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D CA0160DF
> CEABACB2
>     EB2E3F
> Returned:  6 CKR_FUNCTION_FAILED
>
> I've been trying to get the pkinit functionality to work with the
> ActivCard Gold middleware product.  They provide the pkcs11 module; using
> this module I'm able to get it to work with SSH using a patch, but I have
> not had success with heimdal.
>
> The module does not implement the CKA_PUBLIC_EXPONENT class.  Originally,
> the kinit aborts due to the missing exponent and so that's manually
> inserted to the value from the certificates on the Smart Card in the
> ks_p11.c.
>
> rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
> if (rsa->e == NULL)
>         BN_dec2bn(&rsa->e, "65537");
> if (rsa->e == NULL)
>         _hx509_abort("CKA_PUBLIC_EXPONENT missing");
>
> I've also changed the rsa->e to any number with the same results, so I'm
> wondering if I'm doing it right.
>

--

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444