[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: pkinit integration with smart card
Vidarebefordrat brev:
> Från: Love Hörnquist Åstrand <lha@kth.se>
> Datum: fredag 1 sep 2006 15.15.41 GMT+02:00
> Till: malexander@kcp.com
> Ämne: Re: pkinit integration with smart card
>
> The pkcs11 code in heimdal assumes that the library supports
> CKM_RSA_PKCS,
> I guess I'm quite wrong in that assumption is generally true.
>
> I hope this isn't a smartcard with a slow cpu or slow pipe,
> otherwise it going to suck
> to push over the data to sign to the card. It might be so that we
> have some luck
> in the Kerberos PK-INIT profile mandates signedAttrs, and that will
> cut down the data
> to 100-200byte from multi KB.
>
> The crypto glue in hx509 needs some refactoring if you can't get
> your card to do CKM_RSA_PKCS11.
>
> Love
>
>
>
>
> 31 aug 2006 kl. 23.12 skrev malexander@kcp.com:
>
>>
>> Thanks for the response. Complely new to these low level points
>> with the Smart Card so I've been looking up some terms, I
>> appreciate the advice.
>>
>> I looked at the PKCS11-tool output first:
>> pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -M
>> Supported mechanisms:
>> RSA-PKCS, wrap, unwrap, other flags=0x20000
>> SHA1-RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt,
>> keypairgen, other flags=0x2d000
>>
>> The length of the destination buffer is 128 bytes. The length of
>> the signature in pData is 35 bytes. Is the CKM_RSA_X_509
>> mechanism a tool of the Card? Should/could the pData for
>> signature be padded to 128 with a method external to the card?
>>
>>
>>
>>
>> "Douglas E. Engert" <deengert@anl.gov>
>> Sent by: owner-heimdal-discuss@sics.se
>> 08/31/2006 01:41 PM
>>
>> To
>> malexander@kcp.com
>> cc
>> heimdal-discuss@sics.se
>> Subject
>> Re: pkinit integration with smart card
>>
>>
>>
>>
>>
>> I have gotten the Heimdal to work with other OpenSC supported cards.
>>
>> It could be that the card says it has the CKM_RSA_PKCS but really
>> does
>> not or the pkcs11 lib is simulating CKM_RSA_PKCS and is having
>> problems
>> doing the padding. It might be possible to use the CKM_RSA_X_509
>> (raw)
>> mechanisum, by doing the PKCS padding first, then calling the C_Sign
>> functions.
>>
>> Could also be that the pkcs11 is expecting the pSignature and
>> pSignatureLen
>> to be set correctly, i.e. for a 1024 key, to a 128 byte buffer,
>> and it is
>> returing the wrong error code.
>>
>> If you can use the OpenSC spy, can you use the pkcs11-tool as well
>> pointing it at your PKCS11( -module <sharedlib>)? What mechanisums
>> does
>> it say it has?
>>
>>
>>
>> malexander@kcp.com wrote:
>>
>> > Any idea as to why I would receive a CKR_FUNCTION_FAILED error
>> on the
>> > C_Sign operation from PKCS11 module?
>> >
>> > I'm getting to the signature operation on the smart card for
>> PKINIT when
>> > the kinit segment faults. I used the pkcs11 spy library from
>> OpenSC and
>> > the final operations it records with the card are:
>> > 33: C_OpenSession
>> > [in] slotID = 0x1
>> > [in] flags = 0x4
>> > pApplication=(nil)
>> > Notify=(nil)
>> > [out] *phSession = 0x806b860
>> > Returned: 0 CKR_OK
>> >
>> >
>> > 34: C_SignInit
>> > [in] hSession = 0x806b860
>> > pMechanism->type=CKM_RSA_PKCS
>> > [in] hKey = 0x8052508
>> > Returned: 0 CKR_OK
>> >
>> >
>> > 35: C_Sign
>> > [in] hSession = 0x806b860
>> > [in] pData[ulDataLen] [size : 0x23 (35)]
>> > 30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D CA0160DF
>> > CEABACB2
>> > EB2E3F
>> > Returned: 6 CKR_FUNCTION_FAILED
>> >
>> > I've been trying to get the pkinit functionality to work with the
>> > ActivCard Gold middleware product. They provide the pkcs11
>> module; using
>> > this module I'm able to get it to work with SSH using a patch,
>> but I have
>> > not had success with heimdal.
>> >
>> > The module does not implement the CKA_PUBLIC_EXPONENT class.
>> Originally,
>> > the kinit aborts due to the missing exponent and so that's manually
>> > inserted to the value from the certificates on the Smart Card in
>> the
>> > ks_p11.c.
>> >
>> > rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
>> > if (rsa->e == NULL)
>> > BN_dec2bn(&rsa->e, "65537");
>> > if (rsa->e == NULL)
>> > _hx509_abort("CKA_PUBLIC_EXPONENT missing");
>> >
>> > I've also changed the rsa->e to any number with the same
>> results, so I'm
>> > wondering if I'm doing it right.
>> >
>>
>> --
>>
>> Douglas E. Engert <DEEngert@anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>>
>