[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit with smartcard

Thank you for this very useful info about the pkcs11-spy and pkcs11-tool 
--module commands. here's what i can report back. heimdal under 
pkcs11-spy simply works. without it fails with the message about 
"failing to decrypt with the private key".

i'm attaching two files: one is the pkcs11-spy output with heimdal. 
another is output of various pkcs11-tool commands.

i would really like to figure out why decryption doesn't work with 
ActivCard so any suggestions as to what to try would be really greatly 
appreciated.

Douglas E. Engert wrote:
> If you have the OpenSC pkcs11-spy which it looks like you do
> this would also show what is going on even if the pkcs11 is not
> the OpenSC pkcs11. using something like:
>
> PKCS11SPY="usr/local/acgold/lib/libpkcs11.so"
> export PKCS11SPY
>
> /usr/heimdal/bin/kinit --pk-use-enckey \
>   -C PKCS11:/usr/lib/pkcs11-spy.so \
>    aglo@HEIMDAL.CITI.UMICH.EDU
>
> Olga Kornievskaia wrote:
>
>>
>>
>> Love Hörnquist Åstrand wrote:
>>
>>> How is the card configured, does the private key allow both 
>>> encryption and signing ?
>>
>> well, i don't know much about smartcards part of it but i've been 
>> told that the keys on the card show work for both signing and 
>> encrypting.
>>
>>> You can get more info about the existance of the private key and 
>>> some certificate
>>> by using.
>>>
>>> hxtool print --info  PKCS11:/...
>>
>> i get:
>> /usr/heimdal/bin/hxtool print --info 
>> PKCS11:/usr/local/acgold/lib/libpkcs11.so
>> hxtool: hx509_certs_init: Failed to get pin code for slot id 1 with 
>> error: 569927
>>
>>> Love
>>>
>>> 11 dec 2006 kl. 19.53 skrev Olga Kornievskaia:
>>>
>>>> after applying the patch i got:
>>>> kinit: krb5_get_init_creds: Failed to unenvelope CMS data in 
>>>> PK-INIT reply: No private key decrypted the transfer key; Failed to 
>>>> decrypt with certificate issued by CN=CITI Production 
>>>> KCA,O=University of Michigan,L=Ann Arbor,2.5.4.8=Michigan,C=US with 
>>>> serial number 0107BA; Failed to decrypt using private key: -1
>>>>
>>>>
>>>> Love Hörnquist Åstrand wrote:
>>>>
>>>>>
>>>>> 11 dec 2006 kl. 19.17 skrev Olga Kornievskaia:
>>>>>
>>>>>> pkcs11 module release while session in use
>>>>>
>>>>>
>>>>> Ok, so I assume it failes signing or encryption. This should take 
>>>>> way the abort
>>>>> and show the real error
>>>>>
>>>>> http://people.su.se/~lha/patches/heimdal/hx509-fail-put.txt
>>>>>
>>>>> If this isn't the problem, please put a breakpoint in p11_get_session
>>>>> to find where the last get_session occur before the abourt.
>>>>>
>>>>> Love
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>
>>
>