[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit with smartcard

To: Olga Kornievskaia <aglo@citi.umich.edu>
Subject: Re: pkinit with smartcard
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Tue, 12 Dec 2006 09:52:09 -0600
Cc: Love Hörnquist Åstrand <lha@kth.se>, heimdal-discuss@sics.se
In-Reply-To: <457DCA6C.6010203@citi.umich.edu>
References: <457A1780.1060403@citi.umich.edu> <5D26DA27-544D-476D-98D8-00F3F678007C@kth.se> <457CEAF6.9090804@citi.umich.edu> <F198E282-26B1-47AD-B54C-10981CC7195F@kth.se> <457DA0C7.3080009@citi.umich.edu> <621376BC-EDEE-4CA1-89C8-AE1A0FFBCDB1@kth.se> <457DA940.7070501@citi.umich.edu> <BD6AC5F4-00EE-4B86-A1D9-9E2E29B73FBD@kth.se> <457DCA6C.6010203@citi.umich.edu>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060414

If you have the OpenSC pkcs11-spy which it looks like you do
this would also show what is going on even if the pkcs11 is not
the OpenSC pkcs11. using something like:

PKCS11SPY="usr/local/acgold/lib/libpkcs11.so"
export PKCS11SPY

/usr/heimdal/bin/kinit --pk-use-enckey \
   -C PKCS11:/usr/lib/pkcs11-spy.so \
    aglo@HEIMDAL.CITI.UMICH.EDU

Olga Kornievskaia wrote:

> 
> 
> Love Hörnquist Åstrand wrote:
> 
>> How is the card configured, does the private key allow both encryption 
>> and signing ?
> 
> well, i don't know much about smartcards part of it but i've been told 
> that the keys on the card show work for both signing and encrypting.
> 
>> You can get more info about the existance of the private key and some 
>> certificate
>> by using.
>>
>> hxtool print --info  PKCS11:/...
> 
> i get:
> /usr/heimdal/bin/hxtool print --info 
> PKCS11:/usr/local/acgold/lib/libpkcs11.so
> hxtool: hx509_certs_init: Failed to get pin code for slot id 1 with 
> error: 569927
> 
>> Love
>>
>> 11 dec 2006 kl. 19.53 skrev Olga Kornievskaia:
>>
>>> after applying the patch i got:
>>> kinit: krb5_get_init_creds: Failed to unenvelope CMS data in PK-INIT 
>>> reply: No private key decrypted the transfer key; Failed to decrypt 
>>> with certificate issued by CN=CITI Production KCA,O=University of 
>>> Michigan,L=Ann Arbor,2.5.4.8=Michigan,C=US with serial number 0107BA; 
>>> Failed to decrypt using private key: -1
>>>
>>>
>>> Love Hörnquist Åstrand wrote:
>>>
>>>>
>>>> 11 dec 2006 kl. 19.17 skrev Olga Kornievskaia:
>>>>
>>>>> pkcs11 module release while session in use
>>>>
>>>>
>>>> Ok, so I assume it failes signing or encryption. This should take 
>>>> way the abort
>>>> and show the real error
>>>>
>>>> http://people.su.se/~lha/patches/heimdal/hx509-fail-put.txt
>>>>
>>>> If this isn't the problem, please put a breakpoint in p11_get_session
>>>> to find where the last get_session occur before the abourt.
>>>>
>>>> Love
>>>>
>>>>
>>>>
>>
>>
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: pkinit with smartcard
  - From: Olga Kornievskaia <aglo@citi.umich.edu>

References:
- pkinit with smartcard
  - From: Olga Kornievskaia <aglo@citi.umich.edu>
- Re: pkinit with smartcard
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: pkinit with smartcard
  - From: Olga Kornievskaia <aglo@citi.umich.edu>
- Re: pkinit with smartcard
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: pkinit with smartcard
  - From: Olga Kornievskaia <aglo@citi.umich.edu>
- Re: pkinit with smartcard
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: pkinit with smartcard
  - From: Olga Kornievskaia <aglo@citi.umich.edu>
- Re: pkinit with smartcard
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: pkinit with smartcard
  - From: Olga Kornievskaia <aglo@citi.umich.edu>

Prev by Date: Re: How read Subject Alternative Name
Next by Date: Re: pkinit with smartcard
Prev by thread: Re: pkinit with smartcard
Next by thread: Re: pkinit with smartcard
Index(es):
- Date
- Thread