[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
No Subject
that includes leaves the session open after the FindObjects locates the=20
object later used in the hKey value, will be assembled. I'll give that a=20
try when it is available.
Mike
.
Love H=F6rnquist =C5strand <lha@kth.se>=20
09/05/2006 02:46 PM
To
malexander@kcp.com
cc
"Douglas E. Engert" <deengert@anl.gov>, heimdal-discuss@sics.se
Subject
Re: pkinit integration with smart card
5 sep 2006 kl. 20.58 skrev Love H=F6rnquist =C5strand:
cert: 0 (have private key)=20
issuer: "OU=3DCA,OU=3DKansas City Plant,OU=3DDepartment of Energy,O=3D=
U.S.=20
Government,C=3DUS"=20
subject: "2.5.4.5=3Du60267+CN=3DMichael B.=20
Alexander,OU=3Dlocal,OU=3Dperson,OU=3DKansas City Plant,OU=3DDepartment of =
Energy,O=3DU.S. Government,C=3DUS"=20
cert: 1 (have private key)=20
issuer: "OU=3DCA,OU=3DKansas City Plant,OU=3DDepartment of Energy,O=3D=
U.S.=20
Government,C=3DUS"=20
subject: "2.5.4.5=3Du60267+CN=3DMichael B.=20
Alexander,OU=3Dlocal,OU=3Dperson,OU=3DKansas City Plant,OU=3DDepartment of =
Energy,O=3DU.S. Government,C=3DUS"=20
And here it the real problem, you have two cert/public key/private key=20
triplets on the card
and the code that is supposed to select the signing certificate somehow=20
failes to do the
right thing, it chooses the encryption only cert/key, and after that,=20
everything goes bad.
I'll try to add certs like that to the regression tests.
I apperenty already had those kind of certificates, but just not support=20
in hxtool to
use them, pk-init should use them.
With the patch below you can test if the selection code works for your=20
certificates.
$ for a in "" "-ke-only" "-ds-only" ; do ./hxtool query --digitalSig=20
--print \ FILE:$HOME/src/heimdal/lib/hx509/data/test$a.crt ; done
match found
private key: no
issuer: "C=3DSE,CN=3Dhx509 Test Root CA"
subject: "CN=3DTest cert,C=3DSE"
no match found (569873)
match found
private key: no
issuer: "C=3DSE,CN=3Dhx509 Test Root CA"
subject: "CN=3DTest cert DigitalSignature,C=3DSE"
http://people.su.se/~lha/patches/heimdal/hxtool-query-flag-print.patch
Love
--=_alternative 007ECCD1862571E0_=
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<br><font size=3D2 face=3D"sans-serif">I eagerly will await the snapshot to=
night,
thanks for doing that so quickly. Here is the output form the hxquery
tool (with PKCS11SPY=3D/usr/local/acgold/lib/libpkcs11.so), if that's usefu=
l.</font>
<br>
<br><tt><font size=3D2>$ hxtool query --pass=3DPROMPT --digitalSignature --=
print
PKCS11:/usr/lib/pkcs11-spy.so</font></tt>
<br><tt><font size=3D2>PIN code for ActivCard USB Reader 2.0 (60102D27) 00
00:</font></tt>
<br><tt><font size=3D2>( Wrap Unwrap )</font></tt>
<br><tt><font size=3D2>( Encrypt Decrypt Sign SigRecov Verify VerRecov Gene=
rate
KeyPair Wrap Unwrap )</font></tt>
<br><tt><font size=3D2>match found</font></tt>
<br><tt><font size=3D2> (have private key)</font></tt>
<br><tt><font size=3D2> issuer: "OU=3DCA,OU=3DKansas
City Plant,OU=3DDepartment of Energy,O=3DU.S. Government,C=3DUS"</font=
></tt>
<br><tt><font size=3D2> subject: "2.5.4.5=3Du60267+CN=3DM=
ichael
B. Alexander,OU=3Dlocal,OU=3Dperson,OU=3DKansas City Plant,OU=3DDepartment =
of Energy,O=3DU.S.
Government,C=3DUS"</font></tt>
<br>
<br><font size=3D2 face=3D"sans-serif">From what I understand, the hxtool is
querying the smart card in the same mechanism that pk-init will. The
hxquery tool has correctly identified the signing key on the card, and
so should pk-init. Tonight, the snapshot that includes leaves the
session open after the FindObjects locates the object later used in the
hKey value, will be assembled. I'll give that a try when it is availa=
ble.</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Mike</font>
<br><font size=3D2 face=3D"sans-serif">.</font>
<br>
<br>
<br>
<br>
<table width=3D100%>
<tr valign=3Dtop>
<td width=3D40%><font size=3D1 face=3D"sans-serif"><b>Love H=F6rnquist =C5s=
trand
<lha@kth.se></b> </font>
<p><font size=3D1 face=3D"sans-serif">09/05/2006 02:46 PM</font>
<td width=3D59%>
<table width=3D100%>
<tr valign=3Dtop>
<td>
<div align=3Dright><font size=3D1 face=3D"sans-serif">To</font></div>
<td><font size=3D1 face=3D"sans-serif">malexander@kcp.com</font>
<tr valign=3Dtop>
<td>
<div align=3Dright><font size=3D1 face=3D"sans-serif">cc</font></div>
<td><font size=3D1 face=3D"sans-serif">"Douglas E. Engert" <de=
engert@anl.gov>,
heimdal-discuss@sics.se</font>
<tr valign=3Dtop>
<td>
<div align=3Dright><font size=3D1 face=3D"sans-serif">Subject</font></div>
<td><font size=3D1 face=3D"sans-serif">Re: pkinit integration with smart ca=
rd</font></table>
<br>
<table>
<tr valign=3Dtop>
<td>
<td></table>
<br></table>
<br>
<br>
<br>
<br><font size=3D3>5 sep 2006 kl. 20.58 skrev Love H=F6rnquist =C5strand:</=
font>
<br>
<br><tt><font size=3D2>cert: 0 (have private key)</font></tt><font size=3D3>
</font><tt><font size=3D2><br>
issuer: "OU=3DCA,OU=3DKansas City Plant,OU=3DDepar=
tment
of Energy,O=3DU.S. Government,C=3DUS"</font></tt><font size=3D3> </fon=
t><tt><font size=3D2><br>
subject: "2.5.4.5=3Du60267+CN=3DMichael B. Alexander,OU=
=3Dlocal,OU=3Dperson,OU=3DKansas
City Plant,OU=3DDepartment of Energy,O=3DU.S. Government,C=3DUS"</font=
></tt><font size=3D3>
</font><tt><font size=3D2><br>
cert: 1 (have private key)</font></tt><font size=3D3> </font><tt><font size=
=3D2><br>
issuer: "OU=3DCA,OU=3DKansas City Plant,OU=3DDepar=
tment
of Energy,O=3DU.S. Government,C=3DUS"</font></tt><font size=3D3> </fon=
t><tt><font size=3D2><br>
subject: "2.5.4.5=3Du60267+CN=3DMichael B. Alexander,OU=
=3Dlocal,OU=3Dperson,OU=3DKansas
City Plant,OU=3DDepartment of Energy,O=3DU.S. Government,C=3DUS"</font=
></tt><font size=3D3>
</font>
<br>
<br><font size=3D3>And here it the real problem, you have two cert/public
key/private key triplets on the card</font>
<br><font size=3D3>and the code that is supposed to select the signing cert=
ificate
somehow failes to do the</font>
<br><font size=3D3>right thing, it chooses the encryption only cert/key,
and after that, everything goes bad.</font>
<br>
<br><font size=3D3>I'll try to add certs like that to the regression tests.=
</font>
<br>
<br><font size=3D3>I apperenty already had those kind of certificates, but
just not support in hxtool to</font>
<br><font size=3D3>use them, pk-init should use them.</font>
<br>
<br><font size=3D3>With the patch below you can test if the selection code
works for your certificates.</font>
<br>
<br><font size=3D3>$ for a in "" "-ke-only" "=
-ds-only"
; do ./hxtool query --digitalSig --print \ FILE:$HOME/src/heimdal/lib/hx509=
/data/test$a.crt
; done</font>
<br><font size=3D3>match found</font>
<br><font size=3D3> private key: no</font>
<br><font size=3D3> issuer: "C=3DSE,CN=3Dhx509 Test=
Root
CA"</font>
<br><font size=3D3> subject: "CN=3DTest cert,C=3DSE"=
</font>
<br><font size=3D3>no match found (569873)</font>
<br><font size=3D3>match found</font>
<br><font size=3D3> private key: no</font>
<br><font size=3D3> issuer: "C=3DSE,CN=3Dhx509 Test=
Root
CA"</font>
<br><font size=3D3> subject: "CN=3DTest cert DigitalSigna=
ture,C=3DSE"</font>
<br>
<br>
<br><a href=3D"http://people.su.se/~lha/patches/heimdal/hxtool-query-flag-p=
rint.patch"><font size=3D3 color=3Dblue><u>http://people.su.se/~lha/patches=
/heimdal/hxtool-query-flag-print.patch</u></font></a>
<br>
<br>
<br><font size=3D3>Love</font>
<br>
<br>
<br>
--=_alternative 007ECCD1862571E0_=--