[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pkinit integration with smart card
The standard say one login is enough for all session since they all
share
the same loginstate.
That said, I can belive you that this is the case, I've commited code
that should
deal with by keeping the session around. See next snapshot generated in
a couple of hours.
Love
5 sep 2006 kl. 21.42 skrev Douglas E. Engert:
> One thing I do see in this trace is this sequence:
>
> 6 C_OpenSesion
> 7 C_Login CKU_USER
> 32 C_CloseSesion
> 33 C_OpenSession
> 34 C_SignInit
> 35 C_Sign --- fail
>
> It is not clear why the application clooses one session then opens
> and a new session without the C_Login to do the do the C_Sign.
>
> It is also not clear if you can close a sesion and expect the
> hanldes to objects found under that session to still be valid
> and usable be another sesion.
>
> The library may be sending a close or reset to the card, when the
> session is closed, thus the C_Sign will fail because the card will
> not allow it.
>
> Your card and PKCS#11 maybe working as expected, and it might be the
> application code that needs to be changed to use use a single session.
>
> With some other cards, the PKCS#11 implentation may not be enforcing
> this behavior and card as it should and the second sesion has access
> to the crypto on the card.
>
>
>
>
>
> malexander@kcp.com wrote:
>> p11_list_keys() cycles through the classes. and uses the
>> iterate_entries() method is used to find the objects. First i
>> opens a session for login the uses that session to search:
>> 8: C_FindObjectsInit
>> [in] hSession = 0x8052438
>> [in] pTemplate[1]:
>> CKA_CLASS CKO_PRIVATE_KEY
>> Returned: 0 CKR_OK
>> That finds 1 object then that object has GetAttributeValue run
>> through CKA_ID/CKA_VALUE, CKA_MODULUS, CKA_PUBLIC_EXPONENT (fails,
>> note below manually populated the rsa->e value with the exponent
>> from the certficate). All the values are reqeusted with a 0
>> buffer to get the size, then with a second request with the proper
>> buffer allocations. Another FindObjects is called, this returns an
>> objects and the GetAttributeValues are run through as before.
>> This is the object that is used for the hKey value in CKA_SignInit
>> later.
>> Then the FindObjectsFinal is sent. The FindObjectsInit is sent again;
>> 23: C_FindObjectsInit
>> [in] hSession = 0x8052438
>> [in] pTemplate[1]:
>> CKA_CLASS CKO_CERTIFICATE
>> Returned: 0 CKR_OK
>> That finds 1 object and then the GetAttributevalues are run same
>> as before for CKA_ID/CKA_VALUE, then FindObjects is called again,
>> a different objects matches and GetAttributes are called for
>> CKA_ID/CKA_VALUE
>> FindObjects is called again, with no returned and
>> findObjectsFinal, then the session is closed.
>> Next the applications Opens a new session and does the C_SignInit
>> with the hkey value of from the second object found in the
>> PRIVATE_KEY search. Then the C_Sign function fails.
>> I copied the PKCS11-spy module output below in case I read this
>> wrong:
>> *************** OpenSC PKCS#11 spy *****************
>> Loaded: "/usr/local/acgold/lib/libpkcs11.so"
>> 0: C_GetFunctionList
>> Returned: 0 CKR_OK
>> 1: C_Initialize
>> Returned: 0 CKR_OK
>> 2: C_GetSlotList
>> [in] tokenPresent = 0x0
>> [out] pSlotList:
>> Count is 1
>> [out] *pulCount = 0x1
>> Returned: 0 CKR_OK
>> 3: C_GetSlotList
>> [in] tokenPresent = 0x0
>> [out] pSlotList:
>> Slot 1
>> [out] *pulCount = 0x1
>> Returned: 0 CKR_OK
>> 4: C_GetSlotInfo
>> [in] slotID = 0x1
>> [out] pInfo:
>> slotDescription: 'ActivCard USB Reader 2.0 (60102D'
>> '27) 00 00 '
>> manufacturerID: 'Unknown MFR '
>> hardwareVersion: 1.0
>> firmwareVersion: 1.0
>> flags: 7
>> CKF_TOKEN_PRESENT
>> CKF_REMOVABLE_DEVICE
>> CKF_HW_SLOT
>> Returned: 0 CKR_OK
>> 5: C_GetTokenInfo
>> [in] slotID = 0x1
>> [out] pInfo:
>> label: 'ActivIdentity Smart Card '
>> manufacturerID: 'Unknown MFR '
>> model: 'Unknown Model '
>> serialNumber: '1 '
>> ulMaxSessionCount: 0
>> ulSessionCount: 0
>> ulMaxRwSessionCount: 0
>> ulRwSessionCount: 0
>> ulMaxPinLen: 8
>> ulMinPinLen: 8
>> ulTotalPublicMemory: 0
>> ulFreePublicMemory: 0
>> ulTotalPrivateMemory: 0
>> ulFreePrivateMemory: 0
>> hardwareVersion: 255.0
>> firmwareVersion: 255.0
>> time: '0000000000000000'
>> flags: 40d
>> CKF_RNG
>> CKF_LOGIN_REQUIRED
>> CKF_USER_PIN_INITIALIZED
>> CKF_TOKEN_INITIALIZED
>> Returned: 0 CKR_OK
>> 6: C_OpenSession
>> [in] slotID = 0x1
>> [in] flags = 0x4
>> pApplication=(nil)
>> Notify=(nil)
>> [out] *phSession = 0x8052438
>> Returned: 0 CKR_OK
>> 7: C_Login
>> [in] hSession = 0x8052438
>> [in] userType = CKU_USER
>> [in] pPin[ulPinLen] [size : 0x6 (6)]
>> 36353431 3233
>> Returned: 0 CKR_OK
>> 8: C_FindObjectsInit
>> [in] hSession = 0x8052438
>> [in] pTemplate[1]:
>> CKA_CLASS CKO_PRIVATE_KEY
>> Returned: 0 CKR_OK
>> 9: C_FindObjects
>> [in] hSession = 0x8052438
>> [in] ulMaxObjectCount = 0x1
>> [out] ulObjectCount = 0x1
>> Object 134612592 Matches
>> Returned: 0 CKR_OK
>> 10: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8060670
>> [in] pTemplate[1]:
>> CKA_ID requested with 0 buffer
>> [out] pTemplate[1]:
>> CKA_ID has size 1
>> Returned: 0 CKR_OK
>> 11: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8060670
>> [in] pTemplate[1]:
>> CKA_ID requested with 1 buffer
>> [out] pTemplate[1]:
>> CKA_ID [size : 0x1 (1)]
>> 01
>> Returned: 0 CKR_OK
>> 12: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8060670
>> [in] pTemplate[1]:
>> CKA_MODULUS requested with 0 buffer
>> [out] pTemplate[1]:
>> CKA_MODULUS has size 128
>> Returned: 0 CKR_OK
>> 13: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8060670
>> [in] pTemplate[1]:
>> CKA_MODULUS requested with 128 buffer
>> [out] pTemplate[1]:
>> CKA_MODULUS [size : 0x80 (128)]
>> 9DA6B972 1C10BFF8 C5D762E2 3439468F B907EDB0 CC9303CA B4F2C5B4
>> 9A9D30A3
>> 9DD7D36E 4020E756 A947A48C 59176B6E 70F58A84 CD4282BC 0996A561
>> 4496FA47
>> 6B03DE82 FF56A682 03517E8F D0D7D322 15346B06 2B1A39F0 C3202FC8
>> A12C3043
>> 81F44F5E 5E074D17 62899B4B 9CF10374 FD484A3A F815166A 02D43C0D
>> 9BB22387
>> Returned: 0 CKR_OK
>> 14: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8060670
>> [in] pTemplate[1]:
>> CKA_PUBLIC_EXPONENT requested with 0 buffer
>> [out] pTemplate[1]:
>> CKA_PUBLIC_EXPONENT has size -1
>> Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
>> 15: C_FindObjects
>> [in] hSession = 0x8052438
>> [in] ulMaxObjectCount = 0x1
>> [out] ulObjectCount = 0x1
>> Object 134555168 Matches
>> Returned: 0 CKR_OK
>> 16: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8052620
>> [in] pTemplate[1]:
>> CKA_ID requested with 1 buffer
>> [out] pTemplate[1]:
>> CKA_ID has size 1
>> Returned: 0 CKR_OK
>> 17: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8052620
>> [in] pTemplate[1]:
>> CKA_ID requested with 1 buffer
>> [out] pTemplate[1]:
>> CKA_ID [size : 0x1 (1)]
>> 00
>> Returned: 0 CKR_OK
>> 18: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8052620
>> [in] pTemplate[1]:
>> CKA_MODULUS requested with 0 buffer
>> [out] pTemplate[1]:
>> CKA_MODULUS has size 128
>> Returned: 0 CKR_OK
>> 19: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8052620
>> [in] pTemplate[1]:
>> CKA_MODULUS requested with 128 buffer
>> [out] pTemplate[1]:
>> CKA_MODULUS [size : 0x80 (128)]
>> 89E42655 C26A3DD8 58349968 A5A32FAE 2FF199EE 0D334E2D E24AA53F
>> AFD5AAF9
>> 0D9EEACE 7224BB09 D2F4739F 8A678433 7E9F8892 71B4A7F5 27C278A7
>> 71C6BD0C
>> FB4DA725 19934967 8A4CBD9D 36FB8518 F0A81FDB D7F57B55 1912A2C8
>> 8AA9859C
>> 732CD522 8E95A9D0 70A79522 ABC3E0F1 4C374FA8 E1799B48 54668406
>> 042FFF23
>> Returned: 0 CKR_OK
>> 20: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8052620
>> [in] pTemplate[1]:
>> CKA_PUBLIC_EXPONENT requested with 0 buffer
>> [out] pTemplate[1]:
>> CKA_PUBLIC_EXPONENT has size -1
>> Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
>> 21: C_FindObjects
>> [in] hSession = 0x8052438
>> [in] ulMaxObjectCount = 0x1
>> [out] ulObjectCount = 0x0
>> Returned: 0 CKR_OK
>> 22: C_FindObjectsFinal
>> [in] hSession = 0x8052438
>> Returned: 0 CKR_OK
>> 23: C_FindObjectsInit
>> [in] hSession = 0x8052438
>> [in] pTemplate[1]:
>> CKA_CLASS CKO_CERTIFICATE
>> Returned: 0 CKR_OK
>> 24: C_FindObjects
>> [in] hSession = 0x8052438
>> [in] ulMaxObjectCount = 0x1
>> [out] ulObjectCount = 0x1
>> Object 134630568 Matches
>> Returned: 0 CKR_OK
>> 25: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8064ca8
>> [in] pTemplate[2]:
>> CKA_ID requested with 1 buffer
>> CKA_VALUE requested with 0 buffer
>> [out] pTemplate[2]:
>> CKA_ID has size 1
>> CKA_VALUE has size 1351
>> Returned: 0 CKR_OK
>> 26: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8064ca8
>> [in] pTemplate[2]:
>> CKA_ID requested with 1 buffer
>> CKA_VALUE requested with 1351 buffer
>> [out] pTemplate[2]:
>> CKA_ID [size : 0x1 (1)]
>> 01
>> CKA_VALUE [size : 0x547 (1351)]
>> 30820543 308204AC A0030201 0202043E CA423A30 0D06092A 864886F7
>> 0D010105
>> 0500306F 310B3009 06035504 06130255 53311830 16060355 040A130F
>> 552E532E
>> 20476F76 65726E6D 656E7431 1D301B06 0355040B 13144465 70617274
>> 6D656E74
>> 206F6620 456E6572 6779311A 30180603 55040B13 114B616E 73617320
>> 43697479
>> 20506C61 6E74310B 30090603 55040B13 02434130 1E170D30 36303732
>> 36313733
>> 3134305A 170D3039 30373236 31383031 34305A30 81B1310B 30090603
>> 55040613
>> 02555331 18301606 0355040A 130F552E 532E2047 6F766572 6E6D656E
>> 74311D30
>> 1B060355 040B1314 44657061 72746D65 6E74206F 6620456E 65726779
>> 311A3018
>> 06035504 0B13114B 616E7361 73204369 74792050 6C616E74 310F300D
>> 06035504
>> 0B130670 6572736F 6E310E30 0C060355 040B1305 6C6F6361 6C312C30
>> 0D060355
>> 04051306 75363032 3637301B 06035504 0313144D 69636861 656C2042
>> 2E20416C
>> 6578616E 64657230 819F300D 06092A86 4886F70D 01010105 0003818D
>> 00308189
>> 02818100 9DA6B972 1C10BFF8 C5D762E2 3439468F B907EDB0 CC9303CA
>> B4F2C5B4
>> 9A9D30A3 9DD7D36E 4020E756 A947A48C 59176B6E 70F58A84 CD4282BC
>> 0996A561
>> 4496FA47 6B03DE82 FF56A682 03517E8F D0D7D322 15346B06 2B1A39F0
>> C3202FC8
>> A12C3043 81F44F5E 5E074D17 62899B4B 9CF10374 FD484A3A F815166A
>> 02D43C0D
>> 9BB22387 02030100 01A38202 A7308202 A3301706 03551D20 0410300E
>> 300C060A
>> 60864801 65030201 0A043040 0603551D 11043930 3781126D 616C6578
>> 616E6465
>> 72406B63 702E636F 6DA02106 0A2B0601 04018237 140203A0 130C1175
>> 36303236
>> 37406164 2E6B6370 2E636F6D 301B0603 551D0904 14301230 1006092A
>> 864886F6
>> 7D07441D 31030201 11308201 B4060355 1D1F0482 01AB3082 01A73081
>> 8AA08187
>> A08184A4 8181307F 310B3009 06035504 06130255 53311830 16060355
>> 040A130F
>> 552E532E 20476F76 65726E6D 656E7431 1D301B06 0355040B 13144465
>> 70617274
>> 6D656E74 206F6620 456E6572 6779311A 30180603 55040B13 114B616E
>> 73617320
>> 43697479 20506C61 6E74310B 30090603 55040B13 02434131 0E300C06
>> 03550403
>> 13054352 4C313730 820116A0 820112A0 82010E86 81836C64 61703A2F
>> 2F656E74
>> 72757374 6469722E 6B63702E 636F6D2F 636E3D57 696E436F 6D62696E
>> 6564312C
>> 6F753D43 412C6F75 3D4B616E 73617325 32304369 74792532 30506C61
>> 6E742C6F
>> 753D4465 70617274 6D656E74 2532306F 66253230 456E6572 67792C6F
>> 3D552E53
>> 2E253230 476F7665 726E6D65 6E742C63 3D55533F 3F626173 65868185
>> 6C646170
>> 3A2F2F2F 434E3D43 41312C43 4E3D4341 53657276 65722C43 4E3D4344
>> 502C434E
>> 3D507562 6C696320 4B657920 53657276 69636573 2C434E3D 53657276
>> 69636573
>> 2C434E3D 436F6E66 69677572 6174696F 6E2C4443 3D726F6F 742C4443
>> 3D6B6370
>> 2C44433D 636F6D3F 63657274 69666963 61746552 65766F63 6174696F
>> 6E4C6973
>> 74300B06 03551D0F 04040302 0520301F 0603551D 23041830 168014D8
>> 9483D59A
>> 6B2F737D A2F1CA82 6BD1ABC4 06C7BE30 1D060355 1D0E0416 0414BCF1
>> 13E31D54
>> 1BA07348 2C30AE2B 69A0D7CE 4E5D3009 0603551D 13040230 00301906
>> 092A8648
>> 86F67D07 4100040C 300A1B04 56372E31 03020490 300D0609 2A864886
>> F70D0101
>> 05050003 81810050 75D4AEE3 CF0D112B A1D0B610 93158141 E892E3D2
>> 7E9F07C0
>> 67A8CB64 33725D41 440DFBF3 FE3C6DDB F1C972B3 EBFD90E9 854FB862
>> BD03513C
>> DD71CD72 752FD7EA 7972B908 31C11686 295CE116 4BD6A17B A37EB8CB
>> E5B59085
>> 560D0A7A A509D152 186FD599 E2119CCE A30F87C6 5048CA9E BEF5A3A3
>> 82BC7CA4
>> EEFCF7AA 057CC9
>> Returned: 0 CKR_OK
>> 27: C_FindObjects
>> [in] hSession = 0x8052438
>> [in] ulMaxObjectCount = 0x1
>> [out] ulObjectCount = 0x1
>> Object 134613664 Matches
>> Returned: 0 CKR_OK
>> 28: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8060aa0
>> [in] pTemplate[2]:
>> CKA_ID requested with 1 buffer
>> CKA_VALUE requested with 1351 buffer
>> [out] pTemplate[2]:
>> CKA_ID has size 1
>> CKA_VALUE has size 1429
>> Returned: 0 CKR_OK
>> 29: C_GetAttributeValue
>> [in] hSession = 0x8052438
>> [in] hObject = 0x8060aa0
>> [in] pTemplate[2]:
>> CKA_ID requested with 1 buffer
>> CKA_VALUE requested with 1429 buffer
>> [out] pTemplate[2]:
>> CKA_ID [size : 0x1 (1)]
>> 00
>> CKA_VALUE [size : 0x595 (1429)]
>> 30820591 308204FA A0030201 0202043E CA43DB30 0D06092A 864886F7
>> 0D010105
>> 0500306F 310B3009 06035504 06130255 53311830 16060355 040A130F
>> 552E532E
>> 20476F76 65726E6D 656E7431 1D301B06 0355040B 13144465 70617274
>> 6D656E74
>> 206F6620 456E6572 6779311A 30180603 55040B13 114B616E 73617320
>> 43697479
>> 20506C61 6E74310B 30090603 55040B13 02434130 1E170D30 36303830
>> 33313630
>> 3735305A 170D3039 30383033 31363337 35305A30 81B1310B 30090603
>> 55040613
>> 02555331 18301606 0355040A 130F552E 532E2047 6F766572 6E6D656E
>> 74311D30
>> 1B060355 040B1314 44657061 72746D65 6E74206F 6620456E 65726779
>> 311A3018
>> 06035504 0B13114B 616E7361 73204369 74792050 6C616E74 310F300D
>> 06035504
>> 0B130670 6572736F 6E310E30 0C060355 040B1305 6C6F6361 6C312C30
>> 0D060355
>> 04051306 75363032 3637301B 06035504 0313144D 69636861 656C2042
>> 2E20416C
>> 6578616E 64657230 819F300D 06092A86 4886F70D 01010105 0003818D
>> 00308189
>> 02818100 89E42655 C26A3DD8 58349968 A5A32FAE 2FF199EE 0D334E2D
>> E24AA53F
>> AFD5AAF9 0D9EEACE 7224BB09 D2F4739F 8A678433 7E9F8892 71B4A7F5
>> 27C278A7
>> 71C6BD0C FB4DA725 19934967 8A4CBD9D 36FB8518 F0A81FDB D7F57B55
>> 1912A2C8
>> 8AA9859C 732CD522 8E95A9D0 70A79522 ABC3E0F1 4C374FA8 E1799B48
>> 54668406
>> 042FFF23 02030100 01A38202 F5308202 F1300B06 03551D0F 04040302
>> 0780302B
>> 0603551D 10042430 22800F32 30303630 38303331 36303735 305A810F
>> 32303038
>> 30393038 32303337 35305A30 1F060355 1D250418 30160608 2B060105
>> 05070302
>> 060A2B06 01040182 37140202 30170603 551D2004 10300E30 0C060A60
>> 86480165
>> 0302010A 04304006 03551D11 04393037 81126D61 6C657861 6E646572
>> 406B6370
>> 2E636F6D A021060A 2B060104 01823714 0203A013 0C117536 30323637
>> 4061642E
>> 6B63702E 636F6D30 1B060355 1D090414 30123010 06092A86 4886F67D
>> 07441D31
>> 03020111 308201B4 0603551D 1F048201 AB308201 A730818A A08187A0
>> 8184A481
>> 81307F31 0B300906 03550406 13025553 31183016 06035504 0A130F55
>> 2E532E20
>> 476F7665 726E6D65 6E74311D 301B0603 55040B13 14446570 6172746D
>> 656E7420
>> 6F662045 6E657267 79311A30 18060355 040B1311 4B616E73 61732043
>> 69747920
>> 506C616E 74310B30 09060355 040B1302 4341310E 300C0603 55040313
>> 0543524C
>> 31373082 0116A082 0112A082 010E8681 836C6461 703A2F2F 656E7472
>> 75737464
>> 69722E6B 63702E63 6F6D2F63 6E3D5769 6E436F6D 62696E65 64312C6F
>> 753D4341
>> 2C6F753D 4B616E73 61732532 30436974 79253230 506C616E 742C6F75
>> 3D446570
>> 6172746D 656E7425 32306F66 25323045 6E657267 792C6F3D 552E532E
>> 25323047
>> 6F766572 6E6D656E 742C633D 55533F3F 62617365 8681856C 6461703A
>> 2F2F2F43
>> 4E3D4341 312C434E 3D434153 65727665 722C434E 3D434450 2C434E3D
>> 5075626C
>> 6963204B 65792053 65727669 6365732C 434E3D53 65727669 6365732C
>> 434E3D43
>> 6F6E6669 67757261 74696F6E 2C44433D 726F6F74 2C44433D 6B63702C
>> 44433D63
>> 6F6D3F63 65727469 66696361 74655265 766F6361 74696F6E 4C697374
>> 301F0603
>> 551D2304 18301680 14D89483 D59A6B2F 737DA2F1 CA826BD1 ABC406C7
>> BE301D06
>> 03551D0E 04160414 29704371 70BCFD33 E6DDA186 60E3CD45 A09EE354
>> 30090603
>> 551D1304 02300030 1906092A 864886F6 7D074100 040C300A 1B045637
>> 2E310302
>> 04B0300D 06092A86 4886F70D 01010505 00038181 0042F9C0 B1607678
>> 6EF1E5FF
>> E90C23FD C2BDAC68 A7DCEC63 F541AA3B F3EA9D9D 36115A54 14B74B0C
>> 769E3487
>> F5B60080 F3C23E9E BE908AD8 18380393 F333DFCC 794782C4 8B159D4B
>> DE0E9C9B
>> 7BF4ACCE 0F586AA7 2E0EC60A E36B3B55 992F8B3B 0AE156A8 3F95C10C
>> D8E40860
>> 931BFC39 D2DBF130 FF53CD62 18294EEB FE7A5318 71
>> Returned: 0 CKR_OK
>> 30: C_FindObjects
>> [in] hSession = 0x8052438
>> [in] ulMaxObjectCount = 0x1
>> [out] ulObjectCount = 0x0
>> Returned: 0 CKR_OK
>> 31: C_FindObjectsFinal
>> [in] hSession = 0x8052438
>> Returned: 0 CKR_OK
>> 32: C_CloseSession
>> [in] hSession = 0x8052438
>> Returned: 0 CKR_OK
>> 33: C_OpenSession
>> [in] slotID = 0x1
>> [in] flags = 0x4
>> pApplication=(nil)
>> Notify=(nil)
>> [out] *phSession = 0x806f8c0
>> Returned: 0 CKR_OK
>> 34: C_SignInit
>> [in] hSession = 0x806f8c0
>> pMechanism->type=CKM_RSA_PKCS
>> [in] hKey = 0x8052620
>> Returned: 0 CKR_OK
>> 35: C_Sign
>> [in] hSession = 0x806f8c0
>> [in] pData[ulDataLen] [size : 0x23 (35)]
>> 30213009 06052B0E 03021A05 000414C5 89CD9A75 43934015 0D224CD1
>> 3E5BE1F8
>> 6B9145
>> Returned: 6 CKR_FUNCTION_FAILED
>> "Douglas E. Engert" <deengert@anl.gov> 09/01/2006 03:38 PM
>> To
>> malexander@kcp.com
>> cc
>> heimdal-discuss@sics.se
>> Subject
>> Re: pkinit integration with smart card
>> malexander@kcp.com wrote:
>>> I think I just had a light bulb go off. The hKey value isn't a
>>> key like
>> a
>>> symmetric key. The hKey value is an object on the card, that is
>>> the private key. Is this right?
>> Sort of. Its a handle to pass to the PKCS#11 that it uses to find the
>> key on the card.
>>> The hKey value is found in Mozilla with a FindObjectsInit using
>>> the pTemplate[2]:
>>> [in] pTemplate[2]: CKA_ID [size : 0x1 (1)]
>>> 00
>>> CKA_CLASS CKO_PRIVATE_KEY
>>> The object that matches is returned and used in the SignInit
>>> function.
>>>
>>> In heimdal pkinit it looks like it sends the FindObjectsInit with
>>> just
>> the
>>> CKA_CLASS for the Private key.
>> And what does the FindObject return? Just one key, or many keys.
>> Are the calls to the FindObject... and C_Sign all in the same
>> session?
>> Are there any other calls between the two that would cause the
>> PKCS#11
>> to get confused about what hKey was to be used with trhe C_Sign.
>>> Can I add the CKA_ID for 00 in the FindObjectsInit?
>> Maybe. But this may depend on how many keys are on the card,
>> and you need to use the key that matches the certificate.
>> The certificate should have a CKA_ID that can be used to find the
>> matching key. So the apliucation code should use this when it
>> is trying to find the key object.
>> Do you have a copy of the PKCS#11 douument? It can be found at
>> http://www.rsasecurity.com/rsalabs/node.asp?id=2133
>> or Google for RSA PKCS#11 it "must" reading when debuging PKCS#11.
>>>
>>>
>>> "Douglas E. Engert" <deengert@anl.gov> Sent by: owner-heimdal-
>>> discuss@sics.se
>>> 09/01/2006 10:44 AM
>>>
>>> To
>>> malexander@kcp.com
>>> cc
>>> heimdal-discuss@sics.se, owner-heimdal-discuss@sics.se
>>> Subject
>>> Re: pkinit integration with smart card
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> malexander@kcp.com wrote:
>>>
>>>
>>>
>>>> Thanks for the response. Complely new to these low level points
>>>> with
>>>
>>> the
>>>
>>>> Smart Card so I've been looking up some terms, I appreciate the
>>>> advice.
>>>>
>>>> I looked at the PKCS11-tool output first:
>>>> pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -M
>>>> Supported mechanisms:
>>>
>>>
>>> I am not sure what the other flags are, but I would expect the
>>> RSA-PKCS would have sign, verify, wrap, unwrap, and maybe decrypt.
>>> Note it did not say sign, which is the operation you are trying
>>> to do.
>>>
>>>
>>>
>>>> RSA-PKCS, wrap, unwrap, other flags=0x20000
>>>
>>>
>>>> SHA1-RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt,
>>>
>>> keypairgen,
>>>
>>>> other flags=0x2d000
>>>>
>>>
>>>
>>> The available mechanisum from PKCS11 are a combinatiuon of what
>>> can be done
>>> in the software and the smartcard. For example the SHA1 hash
>>> might be
>> done
>>> by sending the data to the card, or could be done by the pkcs11
>>> software
>>> to produce the hash.
>>>
>>> I am suprised if it can do SHA1_RSA_PKCS sign, it can't do
>>> RSA_PKCS as this just skips the hash set.
>>>
>>>
>>>
>>>
>>>
>>>> The length of the destination buffer is 128 bytes. The length
>>>> of the signature in pData is 35 bytes. Is the CKM_RSA_X_509
>>>> mechanism a tool
>>>
>>> of
>>>
>>>> the Card? Should/could the pData for signature be padded to 128
>>>> with a method external to the card?
>>>
>>>
>>> A sign with RSA_PKCS says take the input and pad with PKCS
>>> padding 01
>> then
>>> do an RSA encrypt using the private key. The data must be less then
>>> keysize-11 so normally the data sent is a hash of the data you
>>> really
>> want
>>> to sign.
>>>
>>> A sign with SHA1_RSA_PKCS says pass the data (any length) to the
>>> C_Sign
>> or
>>> (C_SignUpdate...+C_SignFinal) then do the padding and encrypt
>>> with RSA.
>>>
>>> So as Love pointed out, the Heimdal applicaiton could send the data
>>> pre hashed data to the PKCS11 using SHA1_RSA_PKCS.
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>> "Douglas E. Engert" <deengert@anl.gov> Sent by: owner-heimdal-
>>>> discuss@sics.se
>>>> 08/31/2006 01:41 PM
>>>>
>>>> To
>>>> malexander@kcp.com
>>>> cc
>>>> heimdal-discuss@sics.se
>>>> Subject
>>>> Re: pkinit integration with smart card
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> I have gotten the Heimdal to work with other OpenSC supported
>>>> cards.
>>>>
>>>> It could be that the card says it has the CKM_RSA_PKCS but
>>>> really does
>>>> not or the pkcs11 lib is simulating CKM_RSA_PKCS and is having
>>>> problems
>>>> doing the padding. It might be possible to use the
>>>> CKM_RSA_X_509 (raw)
>>>> mechanisum, by doing the PKCS padding first, then calling the
>>>> C_Sign
>>>> functions.
>>>>
>>>> Could also be that the pkcs11 is expecting the pSignature and
>>>> pSignatureLen
>>>> to be set correctly, i.e. for a 1024 key, to a 128 byte buffer,
>>>> and it
>>>
>>> is
>>>
>>>
>>>> returing the wrong error code.
>>>>
>>>> If you can use the OpenSC spy, can you use the pkcs11-tool as well
>>>> pointing it at your PKCS11( -module <sharedlib>)? What
>>>> mechanisums does
>>>> it say it has?
>>>>
>>>>
>>>>
>>>> malexander@kcp.com wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Any idea as to why I would receive a CKR_FUNCTION_FAILED error
>>>>> on the C_Sign operation from PKCS11 module?
>>>>> I'm getting to the signature operation on the smart card for
>>>>> PKINIT
>> when
>>>
>>>>> the kinit segment faults. I used the pkcs11 spy library from
>>>>> OpenSC
>> and
>>>
>>>>> the final operations it records with the card are:
>>>>> 33: C_OpenSession
>>>>> [in] slotID = 0x1
>>>>> [in] flags = 0x4
>>>>> pApplication=(nil)
>>>>> Notify=(nil)
>>>>> [out] *phSession = 0x806b860
>>>>> Returned: 0 CKR_OK
>>>>>
>>>>>
>>>>> 34: C_SignInit
>>>>> [in] hSession = 0x806b860
>>>>> pMechanism->type=CKM_RSA_PKCS
>>>>> [in] hKey = 0x8052508
>>>>> Returned: 0 CKR_OK
>>>>>
>>>>>
>>>>> 35: C_Sign
>>>>> [in] hSession = 0x806b860
>>>>> [in] pData[ulDataLen] [size : 0x23 (35)]
>>>>> 30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D CA0160DF
>>>>> CEABACB2
>>>>> EB2E3F
>>>>> Returned: 6 CKR_FUNCTION_FAILED
>>>>>
>>>>> I've been trying to get the pkinit functionality to work with
>>>>> the ActivCard Gold middleware product. They provide the pkcs11
>>>>> module;
>>>>
>>>> using
>>>>
>>>>
>>>>> this module I'm able to get it to work with SSH using a patch,
>>>>> but I
>>>>
>>>> have
>>>>
>>>>
>>>>> not had success with heimdal.
>>>>>
>>>>> The module does not implement the CKA_PUBLIC_EXPONENT class.
>> Originally,
>>>
>>>>> the kinit aborts due to the missing exponent and so that's
>>>>> manually inserted to the value from the certificates on the
>>>>> Smart Card in the ks_p11.c.
>>>>>
>>>>> rsa->e = getattr_bn(p, slot, session, object,
>>>>> CKA_PUBLIC_EXPONENT);
>>>>> if (rsa->e == NULL)
>>>>> BN_dec2bn(&rsa->e, "65537");
>>>>> if (rsa->e == NULL)
>>>>> _hx509_abort("CKA_PUBLIC_EXPONENT missing");
>>>>>
>>>>> I've also changed the rsa->e to any number with the same
>>>>> results, so
>> I'm
>>>
>>>>> wondering if I'm doing it right.
>>>>>
>>>>
>>>>
>
> --
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444