>> However, I believe Yubico provides a PKCS#11 module for Yubikeys; have >> you tried that? The OpenSC people usually do a good job in terms of >> supporting a wide variety of cards but depending on how old the particular >> version of OpenSC you are using is you may be running into a compatibility >> issue. >> >> --Ken > >Indeed the module provided by Yubico solved the issue. It is called >ykcs11 and is readily available in the linux package managers.
I am a LITTLE surprised it worked! The MIT PKINIT plugin hard-codes the mechanism in the request; I guess the Yubico library ignores the mechanism given to it, which seems strange to me. I have to ask ... are you SURE that it's using ECC? Because the code that uses the PKCS#11 library is actually generating a PKCS#1 digest. I was under the impression that ECC signatures are in a different format, so I am puzzled how it works at all. >[14174] 1700562344.750583: PKINIT error: There are 3 certs, but there >must be exactly one. I also use smartcards with multiple certificates, and ... well, I'm not sure how the code would get it wrong. I would use some PKCS#11 tools to poke at the Yubico library to see what certificates it says that it has (the KRB5_TRACE output should give you the subjects of the certificates that it finds). --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
