G'day,
[not sure if this is a muscle, opensc, or heimdal problem, so
cross-posting to multiple lists]
I'm having a problem when using Heimdal pkinit with opensc's
pkcs11-enabled crypto engine and the pkcs#11 library provided with muscle.
When I do a kinit using the gemplus PKCS#11 library and a gemsafe card,
I get asked for a PIN to access the private key on the card:
$ pkcs11-tool --module /usr/lib/gemsafe/libgemsafe.so --show-info
Cryptoki version 2.1
Manufacturer Gemplus
Library PKCS#11 Cryptoki (ver 4.0)
$ pkcs11-tool --module /usr/lib/gemsafe/libgemsafe.so --list-slots
Available slots:
Slot 0 Twin 00 00
token state: uninitialized
$ /usr/heimdal/bin/kinit -C ENGINE:CERT=slot_0,KEY=slot_0
initializing engine
Found 1 slot
[0] Twin 00 00 uninitialized, login
(GemSAFE-D808250F240D)
Found slot: Twin 00 00
Found token: GemSAFE-D808250F240D
Found 1 cert:
Found 1 slot
[0] Twin 00 00 uninitialized, login
(GemSAFE-D808250F240D)
Found slot: Twin 00 00
Found token: GemSAFE-D808250F240D
Found 1 certificate:
1 (/DC=vas/DC=sc/CN=Users/CN=Matlock)
PKCS#11 token PIN:
Found 1 key:
1 P
However, when I replace the gemsafe PKCS#11 library with the muscle
pkcs#11 library abd a cyberflex card, there is no prompt for the PIN:
$ pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so --show-info
Cryptoki version 2.11
Manufacturer SCHLUMBERGER
Library SLB PKCS #11 module (ver 1.0)
$ pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so --list-slots
Available slots:
Slot 1 SCR 331 00 00
token label: MuscleCard Applet
token manuf: Unknown MFR
token model: Unknown Model
token flags: rng, login required, PIN initialized, token
initialized
serial num : 1
$ /usr/heimdal/bin/kinit -C ENGINE:CERT=slot_0,KEY=slot_0
initializing engine
Found 1 slot
[0] SCR 331 00 00 login (MuscleCard Applet)
Found slot: SCR 331 00 00
Found token: MuscleCard Applet
Found 1 cert:
Found 1 slot
[0] SCR 331 00 00 login (MuscleCard Applet)
Found slot: SCR 331 00 00
Found token: MuscleCard Applet
Found 1 certificate:
1 DC=vas, DC=sc, CN=Users, CN=Matlock
(/DC=vas/DC=sc/CN=Users/CN=Matlock)
Found 1 key:
1 P DC=vas, DC=sc, CN=Users, CN=Matlock \
kinit: krb5_get_init_creds: PKINIT: failed to sign with private key:
error:2A00A101:PKCS11 library:PKCS11_rsa_sign:User not logged in
I suspect that deep within the crypto engine, code is looking at the
token flags and deciding if asking for a PIN is necessary. The token
flags seem a bit strange for the gemsafe card, but a PIN is requested.
However, no PIN is requested for the muscle card, even though the token
flags specify that login is required.
Can anyone explain what is happenning here?
-- Geoff
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
