[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pkinit integration with smart card
One thing I do see in this trace is this sequence:
6 C_OpenSesion
7 C_Login CKU_USER
32 C_CloseSesion
33 C_OpenSession
34 C_SignInit
35 C_Sign --- fail
It is not clear why the application clooses one session then opens
and a new session without the C_Login to do the do the C_Sign.
It is also not clear if you can close a sesion and expect the
hanldes to objects found under that session to still be valid
and usable be another sesion.
The library may be sending a close or reset to the card, when the
session is closed, thus the C_Sign will fail because the card will
not allow it.
Your card and PKCS#11 maybe working as expected, and it might be the
application code that needs to be changed to use use a single session.
With some other cards, the PKCS#11 implentation may not be enforcing
this behavior and card as it should and the second sesion has access
to the crypto on the card.
malexander@kcp.com wrote:
> p11_list_keys() cycles through the classes. and uses the
> iterate_entries() method is used to find the objects.
>
> First i opens a session for login the uses that session to search:
> 8: C_FindObjectsInit
> [in] hSession = 0x8052438
> [in] pTemplate[1]:
> CKA_CLASS CKO_PRIVATE_KEY
> Returned: 0 CKR_OK
>
> That finds 1 object then that object has GetAttributeValue run through
> CKA_ID/CKA_VALUE, CKA_MODULUS, CKA_PUBLIC_EXPONENT (fails, note below
> manually populated the rsa->e value with the exponent from the
> certficate). All the values are reqeusted with a 0 buffer to get the
> size, then with a second request with the proper buffer allocations.
> Another FindObjects is called, this returns an objects and the
> GetAttributeValues are run through as before. This is the object that is
> used for the hKey value in CKA_SignInit later.
> Then the FindObjectsFinal is sent.
>
> The FindObjectsInit is sent again;
> 23: C_FindObjectsInit
> [in] hSession = 0x8052438
> [in] pTemplate[1]:
> CKA_CLASS CKO_CERTIFICATE
> Returned: 0 CKR_OK
>
> That finds 1 object and then the GetAttributevalues are run same as before
> for CKA_ID/CKA_VALUE,
> then FindObjects is called again, a different objects matches and
> GetAttributes are called for CKA_ID/CKA_VALUE
> FindObjects is called again, with no returned and findObjectsFinal, then
> the session is closed.
>
> Next the applications Opens a new session and does the C_SignInit with the
> hkey value of from the second object found in the PRIVATE_KEY search. Then
> the C_Sign function fails.
>
> I copied the PKCS11-spy module output below in case I read this wrong:
> *************** OpenSC PKCS#11 spy *****************
> Loaded: "/usr/local/acgold/lib/libpkcs11.so"
>
>
> 0: C_GetFunctionList
> Returned: 0 CKR_OK
>
>
> 1: C_Initialize
> Returned: 0 CKR_OK
>
>
> 2: C_GetSlotList
> [in] tokenPresent = 0x0
> [out] pSlotList:
> Count is 1
> [out] *pulCount = 0x1
> Returned: 0 CKR_OK
>
>
> 3: C_GetSlotList
> [in] tokenPresent = 0x0
> [out] pSlotList:
> Slot 1
> [out] *pulCount = 0x1
> Returned: 0 CKR_OK
>
>
> 4: C_GetSlotInfo
> [in] slotID = 0x1
> [out] pInfo:
> slotDescription: 'ActivCard USB Reader 2.0 (60102D'
> '27) 00 00 '
> manufacturerID: 'Unknown MFR '
> hardwareVersion: 1.0
> firmwareVersion: 1.0
> flags: 7
> CKF_TOKEN_PRESENT
> CKF_REMOVABLE_DEVICE
> CKF_HW_SLOT
> Returned: 0 CKR_OK
>
>
> 5: C_GetTokenInfo
> [in] slotID = 0x1
> [out] pInfo:
> label: 'ActivIdentity Smart Card '
> manufacturerID: 'Unknown MFR '
> model: 'Unknown Model '
> serialNumber: '1 '
> ulMaxSessionCount: 0
> ulSessionCount: 0
> ulMaxRwSessionCount: 0
> ulRwSessionCount: 0
> ulMaxPinLen: 8
> ulMinPinLen: 8
> ulTotalPublicMemory: 0
> ulFreePublicMemory: 0
> ulTotalPrivateMemory: 0
> ulFreePrivateMemory: 0
> hardwareVersion: 255.0
> firmwareVersion: 255.0
> time: '0000000000000000'
> flags: 40d
> CKF_RNG
> CKF_LOGIN_REQUIRED
> CKF_USER_PIN_INITIALIZED
> CKF_TOKEN_INITIALIZED
> Returned: 0 CKR_OK
>
>
> 6: C_OpenSession
> [in] slotID = 0x1
> [in] flags = 0x4
> pApplication=(nil)
> Notify=(nil)
> [out] *phSession = 0x8052438
> Returned: 0 CKR_OK
>
>
> 7: C_Login
> [in] hSession = 0x8052438
> [in] userType = CKU_USER
> [in] pPin[ulPinLen] [size : 0x6 (6)]
> 36353431 3233
> Returned: 0 CKR_OK
>
>
> 8: C_FindObjectsInit
> [in] hSession = 0x8052438
> [in] pTemplate[1]:
> CKA_CLASS CKO_PRIVATE_KEY
> Returned: 0 CKR_OK
>
>
> 9: C_FindObjects
> [in] hSession = 0x8052438
> [in] ulMaxObjectCount = 0x1
> [out] ulObjectCount = 0x1
> Object 134612592 Matches
> Returned: 0 CKR_OK
>
>
> 10: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8060670
> [in] pTemplate[1]:
> CKA_ID requested with 0 buffer
> [out] pTemplate[1]:
> CKA_ID has size 1
> Returned: 0 CKR_OK
>
>
> 11: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8060670
> [in] pTemplate[1]:
> CKA_ID requested with 1 buffer
> [out] pTemplate[1]:
> CKA_ID [size : 0x1 (1)]
> 01
> Returned: 0 CKR_OK
>
>
> 12: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8060670
> [in] pTemplate[1]:
> CKA_MODULUS requested with 0 buffer
> [out] pTemplate[1]:
> CKA_MODULUS has size 128
> Returned: 0 CKR_OK
>
>
> 13: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8060670
> [in] pTemplate[1]:
> CKA_MODULUS requested with 128 buffer
> [out] pTemplate[1]:
> CKA_MODULUS [size : 0x80 (128)]
> 9DA6B972 1C10BFF8 C5D762E2 3439468F B907EDB0 CC9303CA B4F2C5B4
> 9A9D30A3
> 9DD7D36E 4020E756 A947A48C 59176B6E 70F58A84 CD4282BC 0996A561
> 4496FA47
> 6B03DE82 FF56A682 03517E8F D0D7D322 15346B06 2B1A39F0 C3202FC8
> A12C3043
> 81F44F5E 5E074D17 62899B4B 9CF10374 FD484A3A F815166A 02D43C0D
> 9BB22387
> Returned: 0 CKR_OK
>
>
> 14: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8060670
> [in] pTemplate[1]:
> CKA_PUBLIC_EXPONENT requested with 0 buffer
> [out] pTemplate[1]:
> CKA_PUBLIC_EXPONENT has size -1
> Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
>
>
> 15: C_FindObjects
> [in] hSession = 0x8052438
> [in] ulMaxObjectCount = 0x1
> [out] ulObjectCount = 0x1
> Object 134555168 Matches
> Returned: 0 CKR_OK
>
>
> 16: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8052620
> [in] pTemplate[1]:
> CKA_ID requested with 1 buffer
> [out] pTemplate[1]:
> CKA_ID has size 1
> Returned: 0 CKR_OK
>
>
> 17: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8052620
> [in] pTemplate[1]:
> CKA_ID requested with 1 buffer
> [out] pTemplate[1]:
> CKA_ID [size : 0x1 (1)]
> 00
> Returned: 0 CKR_OK
>
>
> 18: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8052620
> [in] pTemplate[1]:
> CKA_MODULUS requested with 0 buffer
> [out] pTemplate[1]:
> CKA_MODULUS has size 128
> Returned: 0 CKR_OK
>
>
> 19: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8052620
> [in] pTemplate[1]:
> CKA_MODULUS requested with 128 buffer
> [out] pTemplate[1]:
> CKA_MODULUS [size : 0x80 (128)]
> 89E42655 C26A3DD8 58349968 A5A32FAE 2FF199EE 0D334E2D E24AA53F
> AFD5AAF9
> 0D9EEACE 7224BB09 D2F4739F 8A678433 7E9F8892 71B4A7F5 27C278A7
> 71C6BD0C
> FB4DA725 19934967 8A4CBD9D 36FB8518 F0A81FDB D7F57B55 1912A2C8
> 8AA9859C
> 732CD522 8E95A9D0 70A79522 ABC3E0F1 4C374FA8 E1799B48 54668406
> 042FFF23
> Returned: 0 CKR_OK
>
>
> 20: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8052620
> [in] pTemplate[1]:
> CKA_PUBLIC_EXPONENT requested with 0 buffer
> [out] pTemplate[1]:
> CKA_PUBLIC_EXPONENT has size -1
> Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
>
>
> 21: C_FindObjects
> [in] hSession = 0x8052438
> [in] ulMaxObjectCount = 0x1
> [out] ulObjectCount = 0x0
> Returned: 0 CKR_OK
>
>
> 22: C_FindObjectsFinal
> [in] hSession = 0x8052438
> Returned: 0 CKR_OK
>
>
> 23: C_FindObjectsInit
> [in] hSession = 0x8052438
> [in] pTemplate[1]:
> CKA_CLASS CKO_CERTIFICATE
> Returned: 0 CKR_OK
>
>
> 24: C_FindObjects
> [in] hSession = 0x8052438
> [in] ulMaxObjectCount = 0x1
> [out] ulObjectCount = 0x1
> Object 134630568 Matches
> Returned: 0 CKR_OK
>
>
> 25: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8064ca8
> [in] pTemplate[2]:
> CKA_ID requested with 1 buffer
> CKA_VALUE requested with 0 buffer
> [out] pTemplate[2]:
> CKA_ID has size 1
> CKA_VALUE has size 1351
> Returned: 0 CKR_OK
>
>
> 26: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8064ca8
> [in] pTemplate[2]:
> CKA_ID requested with 1 buffer
> CKA_VALUE requested with 1351 buffer
> [out] pTemplate[2]:
> CKA_ID [size : 0x1 (1)]
> 01
> CKA_VALUE [size : 0x547 (1351)]
> 30820543 308204AC A0030201 0202043E CA423A30 0D06092A 864886F7
> 0D010105
> 0500306F 310B3009 06035504 06130255 53311830 16060355 040A130F
> 552E532E
> 20476F76 65726E6D 656E7431 1D301B06 0355040B 13144465 70617274
> 6D656E74
> 206F6620 456E6572 6779311A 30180603 55040B13 114B616E 73617320
> 43697479
> 20506C61 6E74310B 30090603 55040B13 02434130 1E170D30 36303732
> 36313733
> 3134305A 170D3039 30373236 31383031 34305A30 81B1310B 30090603
> 55040613
> 02555331 18301606 0355040A 130F552E 532E2047 6F766572 6E6D656E
> 74311D30
> 1B060355 040B1314 44657061 72746D65 6E74206F 6620456E 65726779
> 311A3018
> 06035504 0B13114B 616E7361 73204369 74792050 6C616E74 310F300D
> 06035504
> 0B130670 6572736F 6E310E30 0C060355 040B1305 6C6F6361 6C312C30
> 0D060355
> 04051306 75363032 3637301B 06035504 0313144D 69636861 656C2042
> 2E20416C
> 6578616E 64657230 819F300D 06092A86 4886F70D 01010105 0003818D
> 00308189
> 02818100 9DA6B972 1C10BFF8 C5D762E2 3439468F B907EDB0 CC9303CA
> B4F2C5B4
> 9A9D30A3 9DD7D36E 4020E756 A947A48C 59176B6E 70F58A84 CD4282BC
> 0996A561
> 4496FA47 6B03DE82 FF56A682 03517E8F D0D7D322 15346B06 2B1A39F0
> C3202FC8
> A12C3043 81F44F5E 5E074D17 62899B4B 9CF10374 FD484A3A F815166A
> 02D43C0D
> 9BB22387 02030100 01A38202 A7308202 A3301706 03551D20 0410300E
> 300C060A
> 60864801 65030201 0A043040 0603551D 11043930 3781126D 616C6578
> 616E6465
> 72406B63 702E636F 6DA02106 0A2B0601 04018237 140203A0 130C1175
> 36303236
> 37406164 2E6B6370 2E636F6D 301B0603 551D0904 14301230 1006092A
> 864886F6
> 7D07441D 31030201 11308201 B4060355 1D1F0482 01AB3082 01A73081
> 8AA08187
> A08184A4 8181307F 310B3009 06035504 06130255 53311830 16060355
> 040A130F
> 552E532E 20476F76 65726E6D 656E7431 1D301B06 0355040B 13144465
> 70617274
> 6D656E74 206F6620 456E6572 6779311A 30180603 55040B13 114B616E
> 73617320
> 43697479 20506C61 6E74310B 30090603 55040B13 02434131 0E300C06
> 03550403
> 13054352 4C313730 820116A0 820112A0 82010E86 81836C64 61703A2F
> 2F656E74
> 72757374 6469722E 6B63702E 636F6D2F 636E3D57 696E436F 6D62696E
> 6564312C
> 6F753D43 412C6F75 3D4B616E 73617325 32304369 74792532 30506C61
> 6E742C6F
> 753D4465 70617274 6D656E74 2532306F 66253230 456E6572 67792C6F
> 3D552E53
> 2E253230 476F7665 726E6D65 6E742C63 3D55533F 3F626173 65868185
> 6C646170
> 3A2F2F2F 434E3D43 41312C43 4E3D4341 53657276 65722C43 4E3D4344
> 502C434E
> 3D507562 6C696320 4B657920 53657276 69636573 2C434E3D 53657276
> 69636573
> 2C434E3D 436F6E66 69677572 6174696F 6E2C4443 3D726F6F 742C4443
> 3D6B6370
> 2C44433D 636F6D3F 63657274 69666963 61746552 65766F63 6174696F
> 6E4C6973
> 74300B06 03551D0F 04040302 0520301F 0603551D 23041830 168014D8
> 9483D59A
> 6B2F737D A2F1CA82 6BD1ABC4 06C7BE30 1D060355 1D0E0416 0414BCF1
> 13E31D54
> 1BA07348 2C30AE2B 69A0D7CE 4E5D3009 0603551D 13040230 00301906
> 092A8648
> 86F67D07 4100040C 300A1B04 56372E31 03020490 300D0609 2A864886
> F70D0101
> 05050003 81810050 75D4AEE3 CF0D112B A1D0B610 93158141 E892E3D2
> 7E9F07C0
> 67A8CB64 33725D41 440DFBF3 FE3C6DDB F1C972B3 EBFD90E9 854FB862
> BD03513C
> DD71CD72 752FD7EA 7972B908 31C11686 295CE116 4BD6A17B A37EB8CB
> E5B59085
> 560D0A7A A509D152 186FD599 E2119CCE A30F87C6 5048CA9E BEF5A3A3
> 82BC7CA4
> EEFCF7AA 057CC9
> Returned: 0 CKR_OK
>
>
> 27: C_FindObjects
> [in] hSession = 0x8052438
> [in] ulMaxObjectCount = 0x1
> [out] ulObjectCount = 0x1
> Object 134613664 Matches
> Returned: 0 CKR_OK
>
>
> 28: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8060aa0
> [in] pTemplate[2]:
> CKA_ID requested with 1 buffer
> CKA_VALUE requested with 1351 buffer
> [out] pTemplate[2]:
> CKA_ID has size 1
> CKA_VALUE has size 1429
> Returned: 0 CKR_OK
>
>
> 29: C_GetAttributeValue
> [in] hSession = 0x8052438
> [in] hObject = 0x8060aa0
> [in] pTemplate[2]:
> CKA_ID requested with 1 buffer
> CKA_VALUE requested with 1429 buffer
> [out] pTemplate[2]:
> CKA_ID [size : 0x1 (1)]
> 00
> CKA_VALUE [size : 0x595 (1429)]
> 30820591 308204FA A0030201 0202043E CA43DB30 0D06092A 864886F7
> 0D010105
> 0500306F 310B3009 06035504 06130255 53311830 16060355 040A130F
> 552E532E
> 20476F76 65726E6D 656E7431 1D301B06 0355040B 13144465 70617274
> 6D656E74
> 206F6620 456E6572 6779311A 30180603 55040B13 114B616E 73617320
> 43697479
> 20506C61 6E74310B 30090603 55040B13 02434130 1E170D30 36303830
> 33313630
> 3735305A 170D3039 30383033 31363337 35305A30 81B1310B 30090603
> 55040613
> 02555331 18301606 0355040A 130F552E 532E2047 6F766572 6E6D656E
> 74311D30
> 1B060355 040B1314 44657061 72746D65 6E74206F 6620456E 65726779
> 311A3018
> 06035504 0B13114B 616E7361 73204369 74792050 6C616E74 310F300D
> 06035504
> 0B130670 6572736F 6E310E30 0C060355 040B1305 6C6F6361 6C312C30
> 0D060355
> 04051306 75363032 3637301B 06035504 0313144D 69636861 656C2042
> 2E20416C
> 6578616E 64657230 819F300D 06092A86 4886F70D 01010105 0003818D
> 00308189
> 02818100 89E42655 C26A3DD8 58349968 A5A32FAE 2FF199EE 0D334E2D
> E24AA53F
> AFD5AAF9 0D9EEACE 7224BB09 D2F4739F 8A678433 7E9F8892 71B4A7F5
> 27C278A7
> 71C6BD0C FB4DA725 19934967 8A4CBD9D 36FB8518 F0A81FDB D7F57B55
> 1912A2C8
> 8AA9859C 732CD522 8E95A9D0 70A79522 ABC3E0F1 4C374FA8 E1799B48
> 54668406
> 042FFF23 02030100 01A38202 F5308202 F1300B06 03551D0F 04040302
> 0780302B
> 0603551D 10042430 22800F32 30303630 38303331 36303735 305A810F
> 32303038
> 30393038 32303337 35305A30 1F060355 1D250418 30160608 2B060105
> 05070302
> 060A2B06 01040182 37140202 30170603 551D2004 10300E30 0C060A60
> 86480165
> 0302010A 04304006 03551D11 04393037 81126D61 6C657861 6E646572
> 406B6370
> 2E636F6D A021060A 2B060104 01823714 0203A013 0C117536 30323637
> 4061642E
> 6B63702E 636F6D30 1B060355 1D090414 30123010 06092A86 4886F67D
> 07441D31
> 03020111 308201B4 0603551D 1F048201 AB308201 A730818A A08187A0
> 8184A481
> 81307F31 0B300906 03550406 13025553 31183016 06035504 0A130F55
> 2E532E20
> 476F7665 726E6D65 6E74311D 301B0603 55040B13 14446570 6172746D
> 656E7420
> 6F662045 6E657267 79311A30 18060355 040B1311 4B616E73 61732043
> 69747920
> 506C616E 74310B30 09060355 040B1302 4341310E 300C0603 55040313
> 0543524C
> 31373082 0116A082 0112A082 010E8681 836C6461 703A2F2F 656E7472
> 75737464
> 69722E6B 63702E63 6F6D2F63 6E3D5769 6E436F6D 62696E65 64312C6F
> 753D4341
> 2C6F753D 4B616E73 61732532 30436974 79253230 506C616E 742C6F75
> 3D446570
> 6172746D 656E7425 32306F66 25323045 6E657267 792C6F3D 552E532E
> 25323047
> 6F766572 6E6D656E 742C633D 55533F3F 62617365 8681856C 6461703A
> 2F2F2F43
> 4E3D4341 312C434E 3D434153 65727665 722C434E 3D434450 2C434E3D
> 5075626C
> 6963204B 65792053 65727669 6365732C 434E3D53 65727669 6365732C
> 434E3D43
> 6F6E6669 67757261 74696F6E 2C44433D 726F6F74 2C44433D 6B63702C
> 44433D63
> 6F6D3F63 65727469 66696361 74655265 766F6361 74696F6E 4C697374
> 301F0603
> 551D2304 18301680 14D89483 D59A6B2F 737DA2F1 CA826BD1 ABC406C7
> BE301D06
> 03551D0E 04160414 29704371 70BCFD33 E6DDA186 60E3CD45 A09EE354
> 30090603
> 551D1304 02300030 1906092A 864886F6 7D074100 040C300A 1B045637
> 2E310302
> 04B0300D 06092A86 4886F70D 01010505 00038181 0042F9C0 B1607678
> 6EF1E5FF
> E90C23FD C2BDAC68 A7DCEC63 F541AA3B F3EA9D9D 36115A54 14B74B0C
> 769E3487
> F5B60080 F3C23E9E BE908AD8 18380393 F333DFCC 794782C4 8B159D4B
> DE0E9C9B
> 7BF4ACCE 0F586AA7 2E0EC60A E36B3B55 992F8B3B 0AE156A8 3F95C10C
> D8E40860
> 931BFC39 D2DBF130 FF53CD62 18294EEB FE7A5318 71
> Returned: 0 CKR_OK
>
>
> 30: C_FindObjects
> [in] hSession = 0x8052438
> [in] ulMaxObjectCount = 0x1
> [out] ulObjectCount = 0x0
> Returned: 0 CKR_OK
>
>
> 31: C_FindObjectsFinal
> [in] hSession = 0x8052438
> Returned: 0 CKR_OK
>
>
> 32: C_CloseSession
> [in] hSession = 0x8052438
> Returned: 0 CKR_OK
>
>
> 33: C_OpenSession
> [in] slotID = 0x1
> [in] flags = 0x4
> pApplication=(nil)
> Notify=(nil)
> [out] *phSession = 0x806f8c0
> Returned: 0 CKR_OK
>
>
> 34: C_SignInit
> [in] hSession = 0x806f8c0
> pMechanism->type=CKM_RSA_PKCS
> [in] hKey = 0x8052620
> Returned: 0 CKR_OK
>
>
> 35: C_Sign
> [in] hSession = 0x806f8c0
> [in] pData[ulDataLen] [size : 0x23 (35)]
> 30213009 06052B0E 03021A05 000414C5 89CD9A75 43934015 0D224CD1
> 3E5BE1F8
> 6B9145
> Returned: 6 CKR_FUNCTION_FAILED
>
>
>
>
>
>
> "Douglas E. Engert" <deengert@anl.gov>
> 09/01/2006 03:38 PM
>
> To
> malexander@kcp.com
> cc
> heimdal-discuss@sics.se
> Subject
> Re: pkinit integration with smart card
>
>
>
>
>
>
>
>
> malexander@kcp.com wrote:
>
>
>>I think I just had a light bulb go off. The hKey value isn't a key like
>
> a
>
>>symmetric key. The hKey value is an object on the card, that is the
>>private key. Is this right?
>
>
> Sort of. Its a handle to pass to the PKCS#11 that it uses to find the
> key on the card.
>
>
>>The hKey value is found in Mozilla with a FindObjectsInit using the
>>pTemplate[2]:
>>[in] pTemplate[2]:
>> CKA_ID [size : 0x1 (1)]
>> 00
>> CKA_CLASS CKO_PRIVATE_KEY
>>
>>The object that matches is returned and used in the SignInit function.
>>
>>In heimdal pkinit it looks like it sends the FindObjectsInit with just
>
> the
>
>>CKA_CLASS for the Private key.
>
>
> And what does the FindObject return? Just one key, or many keys.
> Are the calls to the FindObject... and C_Sign all in the same session?
> Are there any other calls between the two that would cause the PKCS#11
> to get confused about what hKey was to be used with trhe C_Sign.
>
>
>>Can I add the CKA_ID for 00 in the FindObjectsInit?
>
>
>
> Maybe. But this may depend on how many keys are on the card,
> and you need to use the key that matches the certificate.
> The certificate should have a CKA_ID that can be used to find the
> matching key. So the apliucation code should use this when it
> is trying to find the key object.
>
>
> Do you have a copy of the PKCS#11 douument? It can be found at
> http://www.rsasecurity.com/rsalabs/node.asp?id=2133
> or Google for RSA PKCS#11 it "must" reading when debuging PKCS#11.
>
>
>
>>
>>
>>"Douglas E. Engert" <deengert@anl.gov>
>>Sent by: owner-heimdal-discuss@sics.se
>>09/01/2006 10:44 AM
>>
>>To
>>malexander@kcp.com
>>cc
>>heimdal-discuss@sics.se, owner-heimdal-discuss@sics.se
>>Subject
>>Re: pkinit integration with smart card
>>
>>
>>
>>
>>
>>
>>
>>
>>malexander@kcp.com wrote:
>>
>>
>>
>>>Thanks for the response. Complely new to these low level points with
>>
>>the
>>
>>
>>>Smart Card so I've been looking up some terms, I appreciate the advice.
>>>
>>>I looked at the PKCS11-tool output first:
>>>pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -M Supported
>>>mechanisms:
>>
>>
>>I am not sure what the other flags are, but I would expect the
>>RSA-PKCS would have sign, verify, wrap, unwrap, and maybe decrypt.
>>Note it did not say sign, which is the operation you are trying to do.
>>
>>
>>
>>> RSA-PKCS, wrap, unwrap, other flags=0x20000
>>
>>
>>> SHA1-RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt,
>>
>>keypairgen,
>>
>>
>>>other flags=0x2d000
>>>
>>
>>
>>The available mechanisum from PKCS11 are a combinatiuon of what can be
>>done
>>in the software and the smartcard. For example the SHA1 hash might be
>
> done
>
>>by sending the data to the card, or could be done by the pkcs11 software
>>to produce the hash.
>>
>>I am suprised if it can do SHA1_RSA_PKCS sign, it can't do
>>RSA_PKCS as this just skips the hash set.
>>
>>
>>
>>
>>
>>>The length of the destination buffer is 128 bytes. The length of the
>>>signature in pData is 35 bytes. Is the CKM_RSA_X_509 mechanism a tool
>>
>>of
>>
>>
>>>the Card? Should/could the pData for signature be padded to 128 with a
>>>method external to the card?
>>
>>
>>A sign with RSA_PKCS says take the input and pad with PKCS padding 01
>
> then
>
>>do an RSA encrypt using the private key. The data must be less then
>>keysize-11 so normally the data sent is a hash of the data you really
>
> want
>
>>to sign.
>>
>>A sign with SHA1_RSA_PKCS says pass the data (any length) to the C_Sign
>
> or
>
>>(C_SignUpdate...+C_SignFinal) then do the padding and encrypt with RSA.
>>
>>So as Love pointed out, the Heimdal applicaiton could send the data
>>pre hashed data to the PKCS11 using SHA1_RSA_PKCS.
>>
>>
>>
>>>
>>>
>>>
>>>"Douglas E. Engert" <deengert@anl.gov>
>>>Sent by: owner-heimdal-discuss@sics.se
>>>08/31/2006 01:41 PM
>>>
>>>To
>>>malexander@kcp.com
>>>cc
>>>heimdal-discuss@sics.se
>>>Subject
>>>Re: pkinit integration with smart card
>>>
>>>
>>>
>>>
>>>
>>>
>>>I have gotten the Heimdal to work with other OpenSC supported cards.
>>>
>>>It could be that the card says it has the CKM_RSA_PKCS but really does
>>>not or the pkcs11 lib is simulating CKM_RSA_PKCS and is having problems
>>>doing the padding. It might be possible to use the CKM_RSA_X_509 (raw)
>>>mechanisum, by doing the PKCS padding first, then calling the C_Sign
>>>functions.
>>>
>>>Could also be that the pkcs11 is expecting the pSignature and
>>>pSignatureLen
>>>to be set correctly, i.e. for a 1024 key, to a 128 byte buffer, and it
>>
>>is
>>
>>
>>>returing the wrong error code.
>>>
>>>If you can use the OpenSC spy, can you use the pkcs11-tool as well
>>>pointing it at your PKCS11( -module <sharedlib>)? What mechanisums does
>>>it say it has?
>>>
>>>
>>>
>>>malexander@kcp.com wrote:
>>>
>>>
>>>
>>>
>>>>Any idea as to why I would receive a CKR_FUNCTION_FAILED error on the
>>>>C_Sign operation from PKCS11 module?
>>>>
>>>>I'm getting to the signature operation on the smart card for PKINIT
>
> when
>
>>
>>>>the kinit segment faults. I used the pkcs11 spy library from OpenSC
>
> and
>
>>
>>>>the final operations it records with the card are:
>>>>33: C_OpenSession
>>>>[in] slotID = 0x1
>>>>[in] flags = 0x4
>>>>pApplication=(nil)
>>>>Notify=(nil)
>>>>[out] *phSession = 0x806b860
>>>>Returned: 0 CKR_OK
>>>>
>>>>
>>>>34: C_SignInit
>>>>[in] hSession = 0x806b860
>>>>pMechanism->type=CKM_RSA_PKCS
>>>>[in] hKey = 0x8052508
>>>>Returned: 0 CKR_OK
>>>>
>>>>
>>>>35: C_Sign
>>>>[in] hSession = 0x806b860
>>>>[in] pData[ulDataLen] [size : 0x23 (35)]
>>>> 30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D CA0160DF
>>>>CEABACB2
>>>> EB2E3F
>>>>Returned: 6 CKR_FUNCTION_FAILED
>>>>
>>>>I've been trying to get the pkinit functionality to work with the
>>>>ActivCard Gold middleware product. They provide the pkcs11 module;
>>>
>>>using
>>>
>>>
>>>
>>>>this module I'm able to get it to work with SSH using a patch, but I
>>>
>>>have
>>>
>>>
>>>
>>>>not had success with heimdal.
>>>>
>>>>The module does not implement the CKA_PUBLIC_EXPONENT class.
>
> Originally,
>
>>
>>>>the kinit aborts due to the missing exponent and so that's manually
>>>>inserted to the value from the certificates on the Smart Card in the
>>>>ks_p11.c.
>>>>
>>>>rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
>>>>if (rsa->e == NULL)
>>>> BN_dec2bn(&rsa->e, "65537");
>>>>if (rsa->e == NULL)
>>>> _hx509_abort("CKA_PUBLIC_EXPONENT missing");
>>>>
>>>>I've also changed the rsa->e to any number with the same results, so
>
> I'm
>
>>
>>>>wondering if I'm doing it right.
>>>>
>>>
>>>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444