[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pkinit integration with smart card
Love Hörnquist Åstrand wrote:
> The standard say one login is enough for all session since they all share
> the same loginstate.
>
> That said, I can belive you that this is the case, I've commited code
> that should
> deal with by keeping the session around. See next snapshot generated in
> a couple of hours.
Version 2.01 C_CloseSesion says: "When a sesion is closed, all session
objects created by the sesion are destroyed automaticly, even if the
application has other sessions "using" the objects".
I would infer that this may be the problem with the hKey object,
as it was found using one session then was trying to be used in the
other session, and the two sesisons where no open at the same time
either.
Sounds like you change should address this problem, and I hope .
>
> Love
>
>
> 5 sep 2006 kl. 21.42 skrev Douglas E. Engert:
>
>> One thing I do see in this trace is this sequence:
>>
>> 6 C_OpenSesion
>> 7 C_Login CKU_USER
>> 32 C_CloseSesion
>> 33 C_OpenSession
>> 34 C_SignInit
>> 35 C_Sign --- fail
>>
>> It is not clear why the application clooses one session then opens
>> and a new session without the C_Login to do the do the C_Sign.
>>
>> It is also not clear if you can close a sesion and expect the
>> hanldes to objects found under that session to still be valid
>> and usable be another sesion.
>>
>> The library may be sending a close or reset to the card, when the
>> session is closed, thus the C_Sign will fail because the card will
>> not allow it.
>>
>> Your card and PKCS#11 maybe working as expected, and it might be the
>> application code that needs to be changed to use use a single session.
>>
>> With some other cards, the PKCS#11 implentation may not be enforcing
>> this behavior and card as it should and the second sesion has access
>> to the crypto on the card.
>>
>>
>>
>>
>>
>> malexander@kcp.com wrote:
>>
>>> p11_list_keys() cycles through the classes. and uses the
>>> iterate_entries() method is used to find the objects. First i opens
>>> a session for login the uses that session to search:
>>> 8: C_FindObjectsInit
>>> [in] hSession = 0x8052438
>>> [in] pTemplate[1]:
>>> CKA_CLASS CKO_PRIVATE_KEY
>>> Returned: 0 CKR_OK
>>> That finds 1 object then that object has GetAttributeValue run
>>> through CKA_ID/CKA_VALUE, CKA_MODULUS, CKA_PUBLIC_EXPONENT (fails,
>>> note below manually populated the rsa->e value with the exponent
>>> from the certficate). All the values are reqeusted with a 0 buffer
>>> to get the size, then with a second request with the proper buffer
>>> allocations. Another FindObjects is called, this returns an objects
>>> and the GetAttributeValues are run through as before. This is the
>>> object that is used for the hKey value in CKA_SignInit later.
>>> Then the FindObjectsFinal is sent. The FindObjectsInit is sent again;
>>> 23: C_FindObjectsInit
>>> [in] hSession = 0x8052438
>>> [in] pTemplate[1]:
>>> CKA_CLASS CKO_CERTIFICATE
>>> Returned: 0 CKR_OK
>>> That finds 1 object and then the GetAttributevalues are run same as
>>> before for CKA_ID/CKA_VALUE, then FindObjects is called again, a
>>> different objects matches and GetAttributes are called for
>>> CKA_ID/CKA_VALUE
>>> FindObjects is called again, with no returned and findObjectsFinal,
>>> then the session is closed.
>>> Next the applications Opens a new session and does the C_SignInit
>>> with the hkey value of from the second object found in the
>>> PRIVATE_KEY search. Then the C_Sign function fails.
>>> I copied the PKCS11-spy module output below in case I read this wrong:
>>> *************** OpenSC PKCS#11 spy *****************
>>> Loaded: "/usr/local/acgold/lib/libpkcs11.so"
>>> 0: C_GetFunctionList
>>> Returned: 0 CKR_OK
>>> 1: C_Initialize
>>> Returned: 0 CKR_OK
>>> 2: C_GetSlotList
>>> [in] tokenPresent = 0x0
>>> [out] pSlotList:
>>> Count is 1
>>> [out] *pulCount = 0x1
>>> Returned: 0 CKR_OK
>>> 3: C_GetSlotList
>>> [in] tokenPresent = 0x0
>>> [out] pSlotList:
>>> Slot 1
>>> [out] *pulCount = 0x1
>>> Returned: 0 CKR_OK
>>> 4: C_GetSlotInfo
>>> [in] slotID = 0x1
>>> [out] pInfo:
>>> slotDescription: 'ActivCard USB Reader 2.0 (60102D'
>>> '27) 00 00 '
>>> manufacturerID: 'Unknown MFR '
>>> hardwareVersion: 1.0
>>> firmwareVersion: 1.0
>>> flags: 7
>>> CKF_TOKEN_PRESENT
>>> CKF_REMOVABLE_DEVICE
>>> CKF_HW_SLOT
>>> Returned: 0 CKR_OK
>>> 5: C_GetTokenInfo
>>> [in] slotID = 0x1
>>> [out] pInfo:
>>> label: 'ActivIdentity Smart Card '
>>> manufacturerID: 'Unknown MFR '
>>> model: 'Unknown Model '
>>> serialNumber: '1 '
>>> ulMaxSessionCount: 0
>>> ulSessionCount: 0
>>> ulMaxRwSessionCount: 0
>>> ulRwSessionCount: 0
>>> ulMaxPinLen: 8
>>> ulMinPinLen: 8
>>> ulTotalPublicMemory: 0
>>> ulFreePublicMemory: 0
>>> ulTotalPrivateMemory: 0
>>> ulFreePrivateMemory: 0
>>> hardwareVersion: 255.0
>>> firmwareVersion: 255.0
>>> time: '0000000000000000'
>>> flags: 40d
>>> CKF_RNG
>>> CKF_LOGIN_REQUIRED
>>> CKF_USER_PIN_INITIALIZED
>>> CKF_TOKEN_INITIALIZED
>>> Returned: 0 CKR_OK
>>> 6: C_OpenSession
>>> [in] slotID = 0x1
>>> [in] flags = 0x4
>>> pApplication=(nil)
>>> Notify=(nil)
>>> [out] *phSession = 0x8052438
>>> Returned: 0 CKR_OK
>>> 7: C_Login
>>> [in] hSession = 0x8052438
>>> [in] userType = CKU_USER
>>> [in] pPin[ulPinLen] [size : 0x6 (6)]
>>> 36353431 3233
>>> Returned: 0 CKR_OK
>>> 8: C_FindObjectsInit
>>> [in] hSession = 0x8052438
>>> [in] pTemplate[1]:
>>> CKA_CLASS CKO_PRIVATE_KEY
>>> Returned: 0 CKR_OK
>>> 9: C_FindObjects
>>> [in] hSession = 0x8052438
>>> [in] ulMaxObjectCount = 0x1
>>> [out] ulObjectCount = 0x1
>>> Object 134612592 Matches
>>> Returned: 0 CKR_OK
>>> 10: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8060670
>>> [in] pTemplate[1]:
>>> CKA_ID requested with 0 buffer
>>> [out] pTemplate[1]:
>>> CKA_ID has size 1
>>> Returned: 0 CKR_OK
>>> 11: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8060670
>>> [in] pTemplate[1]:
>>> CKA_ID requested with 1 buffer
>>> [out] pTemplate[1]:
>>> CKA_ID [size : 0x1 (1)]
>>> 01
>>> Returned: 0 CKR_OK
>>> 12: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8060670
>>> [in] pTemplate[1]:
>>> CKA_MODULUS requested with 0 buffer
>>> [out] pTemplate[1]:
>>> CKA_MODULUS has size 128
>>> Returned: 0 CKR_OK
>>> 13: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8060670
>>> [in] pTemplate[1]:
>>> CKA_MODULUS requested with 128 buffer
>>> [out] pTemplate[1]:
>>> CKA_MODULUS [size : 0x80 (128)]
>>> 9DA6B972 1C10BFF8 C5D762E2 3439468F B907EDB0 CC9303CA B4F2C5B4
>>> 9A9D30A3
>>> 9DD7D36E 4020E756 A947A48C 59176B6E 70F58A84 CD4282BC 0996A561
>>> 4496FA47
>>> 6B03DE82 FF56A682 03517E8F D0D7D322 15346B06 2B1A39F0 C3202FC8
>>> A12C3043
>>> 81F44F5E 5E074D17 62899B4B 9CF10374 FD484A3A F815166A 02D43C0D
>>> 9BB22387
>>> Returned: 0 CKR_OK
>>> 14: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8060670
>>> [in] pTemplate[1]:
>>> CKA_PUBLIC_EXPONENT requested with 0 buffer
>>> [out] pTemplate[1]:
>>> CKA_PUBLIC_EXPONENT has size -1
>>> Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
>>> 15: C_FindObjects
>>> [in] hSession = 0x8052438
>>> [in] ulMaxObjectCount = 0x1
>>> [out] ulObjectCount = 0x1
>>> Object 134555168 Matches
>>> Returned: 0 CKR_OK
>>> 16: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8052620
>>> [in] pTemplate[1]:
>>> CKA_ID requested with 1 buffer
>>> [out] pTemplate[1]:
>>> CKA_ID has size 1
>>> Returned: 0 CKR_OK
>>> 17: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8052620
>>> [in] pTemplate[1]:
>>> CKA_ID requested with 1 buffer
>>> [out] pTemplate[1]:
>>> CKA_ID [size : 0x1 (1)]
>>> 00
>>> Returned: 0 CKR_OK
>>> 18: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8052620
>>> [in] pTemplate[1]:
>>> CKA_MODULUS requested with 0 buffer
>>> [out] pTemplate[1]:
>>> CKA_MODULUS has size 128
>>> Returned: 0 CKR_OK
>>> 19: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8052620
>>> [in] pTemplate[1]:
>>> CKA_MODULUS requested with 128 buffer
>>> [out] pTemplate[1]:
>>> CKA_MODULUS [size : 0x80 (128)]
>>> 89E42655 C26A3DD8 58349968 A5A32FAE 2FF199EE 0D334E2D E24AA53F
>>> AFD5AAF9
>>> 0D9EEACE 7224BB09 D2F4739F 8A678433 7E9F8892 71B4A7F5 27C278A7
>>> 71C6BD0C
>>> FB4DA725 19934967 8A4CBD9D 36FB8518 F0A81FDB D7F57B55 1912A2C8
>>> 8AA9859C
>>> 732CD522 8E95A9D0 70A79522 ABC3E0F1 4C374FA8 E1799B48 54668406
>>> 042FFF23
>>> Returned: 0 CKR_OK
>>> 20: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8052620
>>> [in] pTemplate[1]:
>>> CKA_PUBLIC_EXPONENT requested with 0 buffer
>>> [out] pTemplate[1]:
>>> CKA_PUBLIC_EXPONENT has size -1
>>> Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
>>> 21: C_FindObjects
>>> [in] hSession = 0x8052438
>>> [in] ulMaxObjectCount = 0x1
>>> [out] ulObjectCount = 0x0
>>> Returned: 0 CKR_OK
>>> 22: C_FindObjectsFinal
>>> [in] hSession = 0x8052438
>>> Returned: 0 CKR_OK
>>> 23: C_FindObjectsInit
>>> [in] hSession = 0x8052438
>>> [in] pTemplate[1]:
>>> CKA_CLASS CKO_CERTIFICATE
>>> Returned: 0 CKR_OK
>>> 24: C_FindObjects
>>> [in] hSession = 0x8052438
>>> [in] ulMaxObjectCount = 0x1
>>> [out] ulObjectCount = 0x1
>>> Object 134630568 Matches
>>> Returned: 0 CKR_OK
>>> 25: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8064ca8
>>> [in] pTemplate[2]:
>>> CKA_ID requested with 1 buffer
>>> CKA_VALUE requested with 0 buffer
>>> [out] pTemplate[2]:
>>> CKA_ID has size 1
>>> CKA_VALUE has size 1351
>>> Returned: 0 CKR_OK
>>> 26: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8064ca8
>>> [in] pTemplate[2]:
>>> CKA_ID requested with 1 buffer
>>> CKA_VALUE requested with 1351 buffer
>>> [out] pTemplate[2]:
>>> CKA_ID [size : 0x1 (1)]
>>> 01
>>> CKA_VALUE [size : 0x547 (1351)]
>>> 30820543 308204AC A0030201 0202043E CA423A30 0D06092A 864886F7
>>> 0D010105
>>> 0500306F 310B3009 06035504 06130255 53311830 16060355 040A130F
>>> 552E532E
>>> 20476F76 65726E6D 656E7431 1D301B06 0355040B 13144465 70617274
>>> 6D656E74
>>> 206F6620 456E6572 6779311A 30180603 55040B13 114B616E 73617320
>>> 43697479
>>> 20506C61 6E74310B 30090603 55040B13 02434130 1E170D30 36303732
>>> 36313733
>>> 3134305A 170D3039 30373236 31383031 34305A30 81B1310B 30090603
>>> 55040613
>>> 02555331 18301606 0355040A 130F552E 532E2047 6F766572 6E6D656E
>>> 74311D30
>>> 1B060355 040B1314 44657061 72746D65 6E74206F 6620456E 65726779
>>> 311A3018
>>> 06035504 0B13114B 616E7361 73204369 74792050 6C616E74 310F300D
>>> 06035504
>>> 0B130670 6572736F 6E310E30 0C060355 040B1305 6C6F6361 6C312C30
>>> 0D060355
>>> 04051306 75363032 3637301B 06035504 0313144D 69636861 656C2042
>>> 2E20416C
>>> 6578616E 64657230 819F300D 06092A86 4886F70D 01010105 0003818D
>>> 00308189
>>> 02818100 9DA6B972 1C10BFF8 C5D762E2 3439468F B907EDB0 CC9303CA
>>> B4F2C5B4
>>> 9A9D30A3 9DD7D36E 4020E756 A947A48C 59176B6E 70F58A84 CD4282BC
>>> 0996A561
>>> 4496FA47 6B03DE82 FF56A682 03517E8F D0D7D322 15346B06 2B1A39F0
>>> C3202FC8
>>> A12C3043 81F44F5E 5E074D17 62899B4B 9CF10374 FD484A3A F815166A
>>> 02D43C0D
>>> 9BB22387 02030100 01A38202 A7308202 A3301706 03551D20 0410300E
>>> 300C060A
>>> 60864801 65030201 0A043040 0603551D 11043930 3781126D 616C6578
>>> 616E6465
>>> 72406B63 702E636F 6DA02106 0A2B0601 04018237 140203A0 130C1175
>>> 36303236
>>> 37406164 2E6B6370 2E636F6D 301B0603 551D0904 14301230 1006092A
>>> 864886F6
>>> 7D07441D 31030201 11308201 B4060355 1D1F0482 01AB3082 01A73081
>>> 8AA08187
>>> A08184A4 8181307F 310B3009 06035504 06130255 53311830 16060355
>>> 040A130F
>>> 552E532E 20476F76 65726E6D 656E7431 1D301B06 0355040B 13144465
>>> 70617274
>>> 6D656E74 206F6620 456E6572 6779311A 30180603 55040B13 114B616E
>>> 73617320
>>> 43697479 20506C61 6E74310B 30090603 55040B13 02434131 0E300C06
>>> 03550403
>>> 13054352 4C313730 820116A0 820112A0 82010E86 81836C64 61703A2F
>>> 2F656E74
>>> 72757374 6469722E 6B63702E 636F6D2F 636E3D57 696E436F 6D62696E
>>> 6564312C
>>> 6F753D43 412C6F75 3D4B616E 73617325 32304369 74792532 30506C61
>>> 6E742C6F
>>> 753D4465 70617274 6D656E74 2532306F 66253230 456E6572 67792C6F
>>> 3D552E53
>>> 2E253230 476F7665 726E6D65 6E742C63 3D55533F 3F626173 65868185
>>> 6C646170
>>> 3A2F2F2F 434E3D43 41312C43 4E3D4341 53657276 65722C43 4E3D4344
>>> 502C434E
>>> 3D507562 6C696320 4B657920 53657276 69636573 2C434E3D 53657276
>>> 69636573
>>> 2C434E3D 436F6E66 69677572 6174696F 6E2C4443 3D726F6F 742C4443
>>> 3D6B6370
>>> 2C44433D 636F6D3F 63657274 69666963 61746552 65766F63 6174696F
>>> 6E4C6973
>>> 74300B06 03551D0F 04040302 0520301F 0603551D 23041830 168014D8
>>> 9483D59A
>>> 6B2F737D A2F1CA82 6BD1ABC4 06C7BE30 1D060355 1D0E0416 0414BCF1
>>> 13E31D54
>>> 1BA07348 2C30AE2B 69A0D7CE 4E5D3009 0603551D 13040230 00301906
>>> 092A8648
>>> 86F67D07 4100040C 300A1B04 56372E31 03020490 300D0609 2A864886
>>> F70D0101
>>> 05050003 81810050 75D4AEE3 CF0D112B A1D0B610 93158141 E892E3D2
>>> 7E9F07C0
>>> 67A8CB64 33725D41 440DFBF3 FE3C6DDB F1C972B3 EBFD90E9 854FB862
>>> BD03513C
>>> DD71CD72 752FD7EA 7972B908 31C11686 295CE116 4BD6A17B A37EB8CB
>>> E5B59085
>>> 560D0A7A A509D152 186FD599 E2119CCE A30F87C6 5048CA9E BEF5A3A3
>>> 82BC7CA4
>>> EEFCF7AA 057CC9
>>> Returned: 0 CKR_OK
>>> 27: C_FindObjects
>>> [in] hSession = 0x8052438
>>> [in] ulMaxObjectCount = 0x1
>>> [out] ulObjectCount = 0x1
>>> Object 134613664 Matches
>>> Returned: 0 CKR_OK
>>> 28: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8060aa0
>>> [in] pTemplate[2]:
>>> CKA_ID requested with 1 buffer
>>> CKA_VALUE requested with 1351 buffer
>>> [out] pTemplate[2]:
>>> CKA_ID has size 1
>>> CKA_VALUE has size 1429
>>> Returned: 0 CKR_OK
>>> 29: C_GetAttributeValue
>>> [in] hSession = 0x8052438
>>> [in] hObject = 0x8060aa0
>>> [in] pTemplate[2]:
>>> CKA_ID requested with 1 buffer
>>> CKA_VALUE requested with 1429 buffer
>>> [out] pTemplate[2]:
>>> CKA_ID [size : 0x1 (1)]
>>> 00
>>> CKA_VALUE [size : 0x595 (1429)]
>>> 30820591 308204FA A0030201 0202043E CA43DB30 0D06092A 864886F7
>>> 0D010105
>>> 0500306F 310B3009 06035504 06130255 53311830 16060355 040A130F
>>> 552E532E
>>> 20476F76 65726E6D 656E7431 1D301B06 0355040B 13144465 70617274
>>> 6D656E74
>>> 206F6620 456E6572 6779311A 30180603 55040B13 114B616E 73617320
>>> 43697479
>>> 20506C61 6E74310B 30090603 55040B13 02434130 1E170D30 36303830
>>> 33313630
>>> 3735305A 170D3039 30383033 31363337 35305A30 81B1310B 30090603
>>> 55040613
>>> 02555331 18301606 0355040A 130F552E 532E2047 6F766572 6E6D656E
>>> 74311D30
>>> 1B060355 040B1314 44657061 72746D65 6E74206F 6620456E 65726779
>>> 311A3018
>>> 06035504 0B13114B 616E7361 73204369 74792050 6C616E74 310F300D
>>> 06035504
>>> 0B130670 6572736F 6E310E30 0C060355 040B1305 6C6F6361 6C312C30
>>> 0D060355
>>> 04051306 75363032 3637301B 06035504 0313144D 69636861 656C2042
>>> 2E20416C
>>> 6578616E 64657230 819F300D 06092A86 4886F70D 01010105 0003818D
>>> 00308189
>>> 02818100 89E42655 C26A3DD8 58349968 A5A32FAE 2FF199EE 0D334E2D
>>> E24AA53F
>>> AFD5AAF9 0D9EEACE 7224BB09 D2F4739F 8A678433 7E9F8892 71B4A7F5
>>> 27C278A7
>>> 71C6BD0C FB4DA725 19934967 8A4CBD9D 36FB8518 F0A81FDB D7F57B55
>>> 1912A2C8
>>> 8AA9859C 732CD522 8E95A9D0 70A79522 ABC3E0F1 4C374FA8 E1799B48
>>> 54668406
>>> 042FFF23 02030100 01A38202 F5308202 F1300B06 03551D0F 04040302
>>> 0780302B
>>> 0603551D 10042430 22800F32 30303630 38303331 36303735 305A810F
>>> 32303038
>>> 30393038 32303337 35305A30 1F060355 1D250418 30160608 2B060105
>>> 05070302
>>> 060A2B06 01040182 37140202 30170603 551D2004 10300E30 0C060A60
>>> 86480165
>>> 0302010A 04304006 03551D11 04393037 81126D61 6C657861 6E646572
>>> 406B6370
>>> 2E636F6D A021060A 2B060104 01823714 0203A013 0C117536 30323637
>>> 4061642E
>>> 6B63702E 636F6D30 1B060355 1D090414 30123010 06092A86 4886F67D
>>> 07441D31
>>> 03020111 308201B4 0603551D 1F048201 AB308201 A730818A A08187A0
>>> 8184A481
>>> 81307F31 0B300906 03550406 13025553 31183016 06035504 0A130F55
>>> 2E532E20
>>> 476F7665 726E6D65 6E74311D 301B0603 55040B13 14446570 6172746D
>>> 656E7420
>>> 6F662045 6E657267 79311A30 18060355 040B1311 4B616E73 61732043
>>> 69747920
>>> 506C616E 74310B30 09060355 040B1302 4341310E 300C0603 55040313
>>> 0543524C
>>> 31373082 0116A082 0112A082 010E8681 836C6461 703A2F2F 656E7472
>>> 75737464
>>> 69722E6B 63702E63 6F6D2F63 6E3D5769 6E436F6D 62696E65 64312C6F
>>> 753D4341
>>> 2C6F753D 4B616E73 61732532 30436974 79253230 506C616E 742C6F75
>>> 3D446570
>>> 6172746D 656E7425 32306F66 25323045 6E657267 792C6F3D 552E532E
>>> 25323047
>>> 6F766572 6E6D656E 742C633D 55533F3F 62617365 8681856C 6461703A
>>> 2F2F2F43
>>> 4E3D4341 312C434E 3D434153 65727665 722C434E 3D434450 2C434E3D
>>> 5075626C
>>> 6963204B 65792053 65727669 6365732C 434E3D53 65727669 6365732C
>>> 434E3D43
>>> 6F6E6669 67757261 74696F6E 2C44433D 726F6F74 2C44433D 6B63702C
>>> 44433D63
>>> 6F6D3F63 65727469 66696361 74655265 766F6361 74696F6E 4C697374
>>> 301F0603
>>> 551D2304 18301680 14D89483 D59A6B2F 737DA2F1 CA826BD1 ABC406C7
>>> BE301D06
>>> 03551D0E 04160414 29704371 70BCFD33 E6DDA186 60E3CD45 A09EE354
>>> 30090603
>>> 551D1304 02300030 1906092A 864886F6 7D074100 040C300A 1B045637
>>> 2E310302
>>> 04B0300D 06092A86 4886F70D 01010505 00038181 0042F9C0 B1607678
>>> 6EF1E5FF
>>> E90C23FD C2BDAC68 A7DCEC63 F541AA3B F3EA9D9D 36115A54 14B74B0C
>>> 769E3487
>>> F5B60080 F3C23E9E BE908AD8 18380393 F333DFCC 794782C4 8B159D4B
>>> DE0E9C9B
>>> 7BF4ACCE 0F586AA7 2E0EC60A E36B3B55 992F8B3B 0AE156A8 3F95C10C
>>> D8E40860
>>> 931BFC39 D2DBF130 FF53CD62 18294EEB FE7A5318 71
>>> Returned: 0 CKR_OK
>>> 30: C_FindObjects
>>> [in] hSession = 0x8052438
>>> [in] ulMaxObjectCount = 0x1
>>> [out] ulObjectCount = 0x0
>>> Returned: 0 CKR_OK
>>> 31: C_FindObjectsFinal
>>> [in] hSession = 0x8052438
>>> Returned: 0 CKR_OK
>>> 32: C_CloseSession
>>> [in] hSession = 0x8052438
>>> Returned: 0 CKR_OK
>>> 33: C_OpenSession
>>> [in] slotID = 0x1
>>> [in] flags = 0x4
>>> pApplication=(nil)
>>> Notify=(nil)
>>> [out] *phSession = 0x806f8c0
>>> Returned: 0 CKR_OK
>>> 34: C_SignInit
>>> [in] hSession = 0x806f8c0
>>> pMechanism->type=CKM_RSA_PKCS
>>> [in] hKey = 0x8052620
>>> Returned: 0 CKR_OK
>>> 35: C_Sign
>>> [in] hSession = 0x806f8c0
>>> [in] pData[ulDataLen] [size : 0x23 (35)]
>>> 30213009 06052B0E 03021A05 000414C5 89CD9A75 43934015 0D224CD1
>>> 3E5BE1F8
>>> 6B9145
>>> Returned: 6 CKR_FUNCTION_FAILED
>>> "Douglas E. Engert" <deengert@anl.gov> 09/01/2006 03:38 PM
>>> To
>>> malexander@kcp.com
>>> cc
>>> heimdal-discuss@sics.se
>>> Subject
>>> Re: pkinit integration with smart card
>>> malexander@kcp.com wrote:
>>>
>>>> I think I just had a light bulb go off. The hKey value isn't a key
>>>> like
>>>
>>> a
>>>
>>>> symmetric key. The hKey value is an object on the card, that is
>>>> the private key. Is this right?
>>>
>>> Sort of. Its a handle to pass to the PKCS#11 that it uses to find the
>>> key on the card.
>>>
>>>> The hKey value is found in Mozilla with a FindObjectsInit using the
>>>> pTemplate[2]:
>>>> [in] pTemplate[2]: CKA_ID [size : 0x1 (1)]
>>>> 00
>>>> CKA_CLASS CKO_PRIVATE_KEY
>>>> The object that matches is returned and used in the SignInit function.
>>>>
>>>> In heimdal pkinit it looks like it sends the FindObjectsInit with just
>>>
>>> the
>>>
>>>> CKA_CLASS for the Private key.
>>>
>>> And what does the FindObject return? Just one key, or many keys.
>>> Are the calls to the FindObject... and C_Sign all in the same session?
>>> Are there any other calls between the two that would cause the PKCS#11
>>> to get confused about what hKey was to be used with trhe C_Sign.
>>>
>>>> Can I add the CKA_ID for 00 in the FindObjectsInit?
>>>
>>> Maybe. But this may depend on how many keys are on the card,
>>> and you need to use the key that matches the certificate.
>>> The certificate should have a CKA_ID that can be used to find the
>>> matching key. So the apliucation code should use this when it
>>> is trying to find the key object.
>>> Do you have a copy of the PKCS#11 douument? It can be found at
>>> http://www.rsasecurity.com/rsalabs/node.asp?id=2133
>>> or Google for RSA PKCS#11 it "must" reading when debuging PKCS#11.
>>>
>>>>
>>>>
>>>> "Douglas E. Engert" <deengert@anl.gov> Sent by: owner-heimdal-
>>>> discuss@sics.se
>>>> 09/01/2006 10:44 AM
>>>>
>>>> To
>>>> malexander@kcp.com
>>>> cc
>>>> heimdal-discuss@sics.se, owner-heimdal-discuss@sics.se
>>>> Subject
>>>> Re: pkinit integration with smart card
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> malexander@kcp.com wrote:
>>>>
>>>>
>>>>
>>>>> Thanks for the response. Complely new to these low level points with
>>>>
>>>>
>>>> the
>>>>
>>>>> Smart Card so I've been looking up some terms, I appreciate the
>>>>> advice.
>>>>>
>>>>> I looked at the PKCS11-tool output first:
>>>>> pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -M
>>>>> Supported mechanisms:
>>>>
>>>>
>>>>
>>>> I am not sure what the other flags are, but I would expect the
>>>> RSA-PKCS would have sign, verify, wrap, unwrap, and maybe decrypt.
>>>> Note it did not say sign, which is the operation you are trying to do.
>>>>
>>>>
>>>>
>>>>> RSA-PKCS, wrap, unwrap, other flags=0x20000
>>>>
>>>>
>>>>
>>>>> SHA1-RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt,
>>>>
>>>>
>>>> keypairgen,
>>>>
>>>>> other flags=0x2d000
>>>>>
>>>>
>>>>
>>>> The available mechanisum from PKCS11 are a combinatiuon of what can
>>>> be done
>>>> in the software and the smartcard. For example the SHA1 hash might be
>>>
>>> done
>>>
>>>> by sending the data to the card, or could be done by the pkcs11
>>>> software
>>>> to produce the hash.
>>>>
>>>> I am suprised if it can do SHA1_RSA_PKCS sign, it can't do
>>>> RSA_PKCS as this just skips the hash set.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> The length of the destination buffer is 128 bytes. The length of
>>>>> the signature in pData is 35 bytes. Is the CKM_RSA_X_509
>>>>> mechanism a tool
>>>>
>>>>
>>>> of
>>>>
>>>>> the Card? Should/could the pData for signature be padded to 128
>>>>> with a method external to the card?
>>>>
>>>>
>>>>
>>>> A sign with RSA_PKCS says take the input and pad with PKCS padding 01
>>>
>>> then
>>>
>>>> do an RSA encrypt using the private key. The data must be less then
>>>> keysize-11 so normally the data sent is a hash of the data you really
>>>
>>> want
>>>
>>>> to sign.
>>>>
>>>> A sign with SHA1_RSA_PKCS says pass the data (any length) to the
>>>> C_Sign
>>>
>>> or
>>>
>>>> (C_SignUpdate...+C_SignFinal) then do the padding and encrypt with
>>>> RSA.
>>>>
>>>> So as Love pointed out, the Heimdal applicaiton could send the data
>>>> pre hashed data to the PKCS11 using SHA1_RSA_PKCS.
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> "Douglas E. Engert" <deengert@anl.gov> Sent by: owner-heimdal-
>>>>> discuss@sics.se
>>>>> 08/31/2006 01:41 PM
>>>>>
>>>>> To
>>>>> malexander@kcp.com
>>>>> cc
>>>>> heimdal-discuss@sics.se
>>>>> Subject
>>>>> Re: pkinit integration with smart card
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I have gotten the Heimdal to work with other OpenSC supported cards.
>>>>>
>>>>> It could be that the card says it has the CKM_RSA_PKCS but really
>>>>> does
>>>>> not or the pkcs11 lib is simulating CKM_RSA_PKCS and is having
>>>>> problems
>>>>> doing the padding. It might be possible to use the CKM_RSA_X_509
>>>>> (raw)
>>>>> mechanisum, by doing the PKCS padding first, then calling the C_Sign
>>>>> functions.
>>>>>
>>>>> Could also be that the pkcs11 is expecting the pSignature and
>>>>> pSignatureLen
>>>>> to be set correctly, i.e. for a 1024 key, to a 128 byte buffer,
>>>>> and it
>>>>
>>>>
>>>> is
>>>>
>>>>
>>>>> returing the wrong error code.
>>>>>
>>>>> If you can use the OpenSC spy, can you use the pkcs11-tool as well
>>>>> pointing it at your PKCS11( -module <sharedlib>)? What mechanisums
>>>>> does
>>>>> it say it has?
>>>>>
>>>>>
>>>>>
>>>>> malexander@kcp.com wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Any idea as to why I would receive a CKR_FUNCTION_FAILED error on
>>>>>> the C_Sign operation from PKCS11 module?
>>>>>> I'm getting to the signature operation on the smart card for PKINIT
>>>
>>> when
>>>
>>>>
>>>>>> the kinit segment faults. I used the pkcs11 spy library from OpenSC
>>>
>>> and
>>>
>>>>
>>>>>> the final operations it records with the card are:
>>>>>> 33: C_OpenSession
>>>>>> [in] slotID = 0x1
>>>>>> [in] flags = 0x4
>>>>>> pApplication=(nil)
>>>>>> Notify=(nil)
>>>>>> [out] *phSession = 0x806b860
>>>>>> Returned: 0 CKR_OK
>>>>>>
>>>>>>
>>>>>> 34: C_SignInit
>>>>>> [in] hSession = 0x806b860
>>>>>> pMechanism->type=CKM_RSA_PKCS
>>>>>> [in] hKey = 0x8052508
>>>>>> Returned: 0 CKR_OK
>>>>>>
>>>>>>
>>>>>> 35: C_Sign
>>>>>> [in] hSession = 0x806b860
>>>>>> [in] pData[ulDataLen] [size : 0x23 (35)]
>>>>>> 30213009 06052B0E 03021A05 00041496 9A0A7A5A 74DA942D CA0160DF
>>>>>> CEABACB2
>>>>>> EB2E3F
>>>>>> Returned: 6 CKR_FUNCTION_FAILED
>>>>>>
>>>>>> I've been trying to get the pkinit functionality to work with the
>>>>>> ActivCard Gold middleware product. They provide the pkcs11 module;
>>>>>
>>>>>
>>>>> using
>>>>>
>>>>>
>>>>>> this module I'm able to get it to work with SSH using a patch, but I
>>>>>
>>>>>
>>>>> have
>>>>>
>>>>>
>>>>>> not had success with heimdal.
>>>>>>
>>>>>> The module does not implement the CKA_PUBLIC_EXPONENT class.
>>>
>>> Originally,
>>>
>>>>
>>>>>> the kinit aborts due to the missing exponent and so that's
>>>>>> manually inserted to the value from the certificates on the Smart
>>>>>> Card in the ks_p11.c.
>>>>>>
>>>>>> rsa->e = getattr_bn(p, slot, session, object, CKA_PUBLIC_EXPONENT);
>>>>>> if (rsa->e == NULL)
>>>>>> BN_dec2bn(&rsa->e, "65537");
>>>>>> if (rsa->e == NULL)
>>>>>> _hx509_abort("CKA_PUBLIC_EXPONENT missing");
>>>>>>
>>>>>> I've also changed the rsa->e to any number with the same results, so
>>>
>>> I'm
>>>
>>>>
>>>>>> wondering if I'm doing it right.
>>>>>>
>>>>>
>>>>>
>>
>> --
>>
>> Douglas E. Engert <DEEngert@anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444