[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pkinit with smartcard
i apologize for a repeated message but i forgot to attach the files.
take 2.
Olga Kornievskaia wrote:
> Thank you for this very useful info about the pkcs11-spy and
> pkcs11-tool --module commands. here's what i can report back. heimdal
> under pkcs11-spy simply works. without it fails with the message about
> "failing to decrypt with the private key".
>
> i'm attaching two files: one is the pkcs11-spy output with heimdal.
> another is output of various pkcs11-tool commands.
>
> i would really like to figure out why decryption doesn't work with
> ActivCard so any suggestions as to what to try would be really greatly
> appreciated.
>
> Douglas E. Engert wrote:
>> If you have the OpenSC pkcs11-spy which it looks like you do
>> this would also show what is going on even if the pkcs11 is not
>> the OpenSC pkcs11. using something like:
>>
>> PKCS11SPY="usr/local/acgold/lib/libpkcs11.so"
>> export PKCS11SPY
>>
>> /usr/heimdal/bin/kinit --pk-use-enckey \
>> -C PKCS11:/usr/lib/pkcs11-spy.so \
>> aglo@HEIMDAL.CITI.UMICH.EDU
>>
>> Olga Kornievskaia wrote:
>>
>>>
>>>
>>> Love Hörnquist Åstrand wrote:
>>>
>>>> How is the card configured, does the private key allow both
>>>> encryption and signing ?
>>>
>>> well, i don't know much about smartcards part of it but i've been
>>> told that the keys on the card show work for both signing and
>>> encrypting.
>>>
>>>> You can get more info about the existance of the private key and
>>>> some certificate
>>>> by using.
>>>>
>>>> hxtool print --info PKCS11:/...
>>>
>>> i get:
>>> /usr/heimdal/bin/hxtool print --info
>>> PKCS11:/usr/local/acgold/lib/libpkcs11.so
>>> hxtool: hx509_certs_init: Failed to get pin code for slot id 1 with
>>> error: 569927
>>>
>>>> Love
>>>>
>>>> 11 dec 2006 kl. 19.53 skrev Olga Kornievskaia:
>>>>
>>>>> after applying the patch i got:
>>>>> kinit: krb5_get_init_creds: Failed to unenvelope CMS data in
>>>>> PK-INIT reply: No private key decrypted the transfer key; Failed
>>>>> to decrypt with certificate issued by CN=CITI Production
>>>>> KCA,O=University of Michigan,L=Ann Arbor,2.5.4.8=Michigan,C=US
>>>>> with serial number 0107BA; Failed to decrypt using private key: -1
>>>>>
>>>>>
>>>>> Love Hörnquist Åstrand wrote:
>>>>>
>>>>>>
>>>>>> 11 dec 2006 kl. 19.17 skrev Olga Kornievskaia:
>>>>>>
>>>>>>> pkcs11 module release while session in use
>>>>>>
>>>>>>
>>>>>> Ok, so I assume it failes signing or encryption. This should take
>>>>>> way the abort
>>>>>> and show the real error
>>>>>>
>>>>>> http://people.su.se/~lha/patches/heimdal/hx509-fail-put.txt
>>>>>>
>>>>>> If this isn't the problem, please put a breakpoint in
>>>>>> p11_get_session
>>>>>> to find where the last get_session occur before the abourt.
>>>>>>
>>>>>> Love
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
/usr/heimdal/bin/kinit --pk-use-enckey -C PKCS11:/usr/lib/pkcs11-spy.so aglo@AGLO.CITI.UMICH.EDU
*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/local/acgold/lib/libpkcs11.so"
0: C_GetFunctionList
Returned: 0 CKR_OK
1: C_Initialize
Returned: 0 CKR_OK
2: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK
3: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK
4: C_GetSlotInfo
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'ActivCard USB Reader 2.0 (601024'
'19) 00 00 '
manufacturerID: 'Unknown MFR '
hardwareVersion: 1.0
firmwareVersion: 1.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
5: C_GetTokenInfo
[in] slotID = 0x1
[out] pInfo:
label: 'ActivIdentity Smart Card '
manufacturerID: 'Unknown MFR '
model: 'Unknown Model '
serialNumber: '1 '
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 8
ulTotalPublicMemory: 0
ulFreePublicMemory: 0
ulTotalPrivateMemory: 0
ulFreePrivateMemory: 0
hardwareVersion: 255.0
firmwareVersion: 255.0
time: '0000000000000000'
flags: 40d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
6: C_OpenSession
[in] slotID = 0x1
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x929c148
Returned: 0 CKR_OK
PIN code for ActivCard USB Reader 2.0 (60102419) 00 00:
7: C_Login
[in] hSession = 0x929c148
[in] userType = CKU_USER
[in] pPin[ulPinLen] [size : 0x6 (6)]
30303030 3030
Returned: 0 CKR_OK
8: C_GetMechanismList
[in] slotID = 0x1
[out] pMechanismList[2]:
Count is 2
Returned: 0 CKR_OK
9: C_GetMechanismList
[in] slotID = 0x1
[out] pMechanismList[2]:
CKM_RSA_PKCS
CKM_SHA1_RSA_PKCS
Returned: 0 CKR_OK
10: C_GetMechanismInfo
[in] slotID = 0x1
CKM_RSA_PKCS
[out] pInfo:
CKM_RSA_PKCS : min:128 max:256 flags:0x60000 ( Wrap Unwrap )
Returned: 0 CKR_OK
11: C_GetMechanismInfo
[in] slotID = 0x1
CKM_SHA1_RSA_PKCS
[out] pInfo:
CKM_SHA1_RSA_PKCS : min:0 max:0 flags:0x7FB00 ( Encrypt Decrypt Sign SigRecov Verify VerRecov Generate KeyPair Wrap Unwrap )
Returned: 0 CKR_OK
12: C_FindObjectsInit
[in] hSession = 0x929c148
[in] pTemplate[1]:
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
13: C_FindObjects
[in] hSession = 0x929c148
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 153732112 Matches
Returned: 0 CKR_OK
14: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
CKA_ID requested with 0 buffer
[out] pTemplate[1]:
CKA_ID has size 1
Returned: 0 CKR_OK
15: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
CKA_ID requested with 1 buffer
[out] pTemplate[1]:
CKA_ID [size : 0x1 (1)]
03
Returned: 0 CKR_OK
16: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
CKA_MODULUS requested with 0 buffer
[out] pTemplate[1]:
CKA_MODULUS has size 128
Returned: 0 CKR_OK
17: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
CKA_MODULUS requested with 128 buffer
[out] pTemplate[1]:
CKA_MODULUS [size : 0x80 (128)]
C21B643A 35508347 AF672FE6 19AA6818 B9E3CE02 F6F4136D 3952D339 EC9A65DB
89F6A0C2 38F01CF5 DE15E056 1FFAA678 CA9F8368 533F74DB 9BE2BD13 A399B4D5
42ACBB0F 0ECA8989 D05340C9 D9671894 DE3F0E3E E671D57B E53CDFB8 46962322
002EA7AF D89C02AC 070131FC 052D0A6F 524E1147 17CD3258 19A0D9BB 39B8AFA5
Returned: 0 CKR_OK
18: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x929c410
[in] pTemplate[1]:
CKA_PUBLIC_EXPONENT requested with 0 buffer
[out] pTemplate[1]:
CKA_PUBLIC_EXPONENT has size -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
19: C_FindObjects
[in] hSession = 0x929c148
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
20: C_FindObjectsFinal
[in] hSession = 0x929c148
Returned: 0 CKR_OK
21: C_FindObjectsInit
[in] hSession = 0x929c148
[in] pTemplate[1]:
CKA_CLASS CKO_CERTIFICATE
Returned: 0 CKR_OK
22: C_FindObjects
[in] hSession = 0x929c148
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 153789088 Matches
Returned: 0 CKR_OK
23: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x92aa2a0
[in] pTemplate[3]:
CKA_ID requested with 1 buffer
CKA_VALUE requested with 0 buffer
CKA_LABEL requested with 0 buffer
[out] pTemplate[3]:
CKA_ID has size 1
CKA_VALUE has size 1328
CKA_LABEL has size 12
Returned: 0 CKR_OK
24: C_GetAttributeValue
[in] hSession = 0x929c148
[in] hObject = 0x92aa2a0
[in] pTemplate[3]:
CKA_ID requested with 1 buffer
CKA_VALUE requested with 1328 buffer
CKA_LABEL requested with 12 buffer
[out] pTemplate[3]:
CKA_ID [size : 0x1 (1)]
03
CKA_VALUE [size : 0x530 (1328)]
3082052C 30820414 A0030201 02020301 07BA300D 06092A86 4886F70D 01010505
00307331 0B300906 03550406 13025553 3111300F 06035504 0813084D 69636869
67616E31 12301006 03550407 1309416E 6E204172 626F7231 1F301D06 0355040A
1316556E 69766572 73697479 206F6620 4D696368 6967616E 311C301A 06035504
03131343 49544920 50726F64 75637469 6F6E204B 4341301E 170D3036 31313131
30303233 35325A17 0D303731 31313130 30323335 325A3081 B3310B30 09060355
04061302 55533111 300F0603 55040813 084D6963 68696761 6E311230 10060355
04071309 416E6E20 4172626F 72311F30 1D060355 040A1316 556E6976 65727369
7479206F 66204D69 63686967 616E311C 301A0603 55040B13 13434954 49205072
6F647563 74696F6E 204B4341 311A3018 06035504 0313114F 6C676120 4B6F726E
69657673 6B616961 31223020 06092A86 4886F70D 01090116 1361676C 6F406369
74692E75 6D696368 2E656475 30819F30 0D06092A 864886F7 0D010101 05000381
8D003081 89028181 00C21B64 3A355083 47AF672F E619AA68 18B9E3CE 02F6F413
6D3952D3 39EC9A65 DB89F6A0 C238F01C F5DE15E0 561FFAA6 78CA9F83 68533F74
DB9BE2BD 13A399B4 D542ACBB 0F0ECA89 89D05340 C9D96718 94DE3F0E 3EE671D5
7BE53CDF B8469623 22002EA7 AFD89C02 AC070131 FC052D0A 6F524E11 4717CD32
5819A0D9 BB39B8AF A5020301 0001A382 020A3082 02063009 0603551D 13040230
00301106 09608648 0186F842 01010404 03020780 300B0603 551D0F04 04030205
A0301E06 03551D25 04173015 060A2B06 01040182 37140202 06072B06 01050203
04302C06 09608648 0186F842 010D041F 161D4F70 656E5353 4C204765 6E657261
74656420 43657274 69666963 61746530 53060355 1D1F044C 304A3048 A046A044
86426874 74703A2F 2F777777 2E636974 692E756D 6963682E 6564752F 70726F6A
65637473 2F706B69 6E69742F 63697469 5F70726F 64756374 696F6E5F 63726C73
2E63726C 301D0603 551D0E04 160414C2 4B0CBD9F 16507DE3 3616E967 5AEF89BC
33CE2330 819E0603 551D2304 81963081 93801465 CC2C0A2E D3582FC7 170973E4
EF6ADFD3 407C30A1 77A47530 73310B30 09060355 04061302 55533111 300F0603
55040813 084D6963 68696761 6E311230 10060355 04071309 416E6E20 4172626F
72311F30 1D060355 040A1316 556E6976 65727369 7479206F 66204D69 63686967
616E311C 301A0603 55040313 13434954 49205072 6F647563 74696F6E 204B4341
820234EB 306B0603 551D1104 643062A0 3606062B 06010502 02A02C30 2AA0151B
1341474C 4F2E4349 54492E55 4D494348 2E454455 A111300F A0030201 01A10830
061B0461 676C6FA0 28060A2B 06010401 82371402 03A01A0C 1861676C 6F404147
4C4F2E43 4954492E 554D4943 482E4544 55300906 03551D12 04023000 300D0609
2A864886 F70D0101 05050003 82010100 52B433B1 53E2632A 3F274EDC BF36ED03
03342E6E 7C9DB161 8942CC71 4423573A 4640E2A7 58E4A6C5 BD52EEF8 C4D54915
337837F5 FAA2F523 FE977999 DF1C8AED BA9F7984 D6AABEA9 67D40071 42DDB24A
80028379 ACD101E0 1079DB53 4A5BCBE7 B835FA57 2090012C 63C8CE11 5B6AD1AD
CEB182A1 18490E7A 701AD055 8DBCBEA7 8410EA5F 06B1BA7E 534CF7A7 5F1F3C31
58EBDFE6 22796BA3 B4520B38 8A810EED D2BB7658 63F44E6D C4D6C7D0 594CA536
853BBF27 D6A16C69 0597D18D 3FC79D6F B79302A3 51E8DBCA 584A5698 4B0EAF66
57C5FB94 42ECF37E 37279547 5E9CE0C6 A316B203 E582DE45 4E8EC7FC AF59EF9B
8C4980F9 8EBD662F 0DC16C3B B88CAC30
CKA_LABEL [size : 0xC (12)]
43657274 69666963 61746531
C e r t i f i c a t e 1
Returned: 0 CKR_OK
25: C_FindObjects
[in] hSession = 0x929c148
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
26: C_FindObjectsFinal
[in] hSession = 0x929c148
Returned: 0 CKR_OK
27: C_SignInit
[in] hSession = 0x929c148
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x929c410
Returned: 0 CKR_OK
28: C_Sign
[in] hSession = 0x929c148
[in] pData[ulDataLen] [size : 0x23 (35)]
30213009 06052B0E 03021A05 000414DD 1B675E4A 0FA98BAC D4DEBA5F CB597DDE
F98BB1
[out] pSignature[*pulSignatureLen] [size : 0x80 (128)]
120F79E4 4A642640 FDB6F8DD 32EFA86B 5D497F86 419D5607 249609CD 19294E59
F0F595AB 259FDFAE 7D1D198A 64ABB148 19C030DA 7F344D04 DB0EF927 12D84D8A
A30F206B F157549A 59749263 C81B0B79 06BAF91D 9052D5A1 D0D4F14D C40DD942
015E0882 FC371E46 2410BF35 C42DDA2A CA0AC1EC 21C60D56 C6C3E2E4 B9BE1511
Returned: 0 CKR_OK
29: C_DecryptInit
[in] hSession = 0x929c148
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x929c410
Returned: 0 CKR_OK
30: C_Decrypt
[in] hSession = 0x929c148
[in] pEncryptedData[ulEncryptedDataLen] [size : 0x80 (128)]
38D5F203 632CE669 A834044B E831D263 0E9572A7 02BB2FB8 48D6A41F E3B68D73
775ACBFC 935F5EFC 6C961BDD 79A4666B D4B6D090 D9511D5F 0FD632F6 B3D2BF09
F70EC204 26D39BB0 C0AF1164 E457ED4C F8078266 40CD94DA 85FB43A5 31A8B3A4
002A6705 4264D06C AEED4267 D44DE524 6934021E 69FE9786 F3BA7AB2 FD08062B
[out] pData[*pulDataLen] [size : 0x18 (24)]
A416012F D38C8CBF C24F6D08 7C4ACBA2 5464A48A B03E43EF
Returned: 0 CKR_OK
31: C_CloseSession
[in] hSession = 0x929c148
Returned: 0 CKR_OK
32: C_Finalize
Returned: 0 CKR_OK
kcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -O
warning: PKCS11 function C_GetAttributeValue(KEY_TYPE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Public Key Object; unknown key algorithm 159299576
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
ID: 03
warning: PKCS11 function C_GetAttributeValue(ENCRYPT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
warning: PKCS11 function C_GetAttributeValue(VERIFY) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
warning: PKCS11 function C_GetAttributeValue(WRAP) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Usage: encrypt, verify, wrap
Certificate Object, type = X.509 cert
label: Certificate1
ID: 03
Private Key Object; RSA
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
ID: 03
Usage: decrypt, sign, unwrap
------------------------------------------------------------------------------
pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -L
Available slots:
Slot 1 ActivCard USB Reader 2.0 (60102419) 00 00
token label: ActivIdentity Smart Card
token manuf: Unknown MFR
token model: Unknown Model
token flags: rng, login required, PIN initialized, token initialized
serial num : 1
------------------------------------------------------------------------------
pkcs11-tool --module /usr/local/acgold/lib/libpkcs11.so -M
Supported mechanisms:
RSA-PKCS, wrap, unwrap, other flags=0x20000
SHA1-RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt, keypairgen, other flags=0x2d000