Re: [Muscle] Questions about musclecard

Tue, 23 Feb 2010 09:35:05 -0800 

So the patch that I needed to apply to make it work (which is still required) 
is this:

--- p11_object.c.orig   2008-05-31 09:24:52.000000000 -0700
+++ p11_object.c        2010-02-23 09:18:42.000000000 -0800
@@ -378,11 +378,28 @@
             }
             else
             {
+               if (pTemplate[i].type == 0x103) {
+                   log_Log(LOG_LOW, "Got expected error, faking a 103 
attribute (TRUE)");
+                    pTemplate[i].ulValueLen = (CK_ULONG)1;
+                   if (pTemplate[i].pValue != 0) {
+                       ((char*)(pTemplate[i].pValue))[0] = 1;
+                   }
+                   rv = CKR_OK;
+               } else if (pTemplate[i].type == 0x162) {
+                   log_Log(LOG_LOW, "Got expected error, faking a 162 
attribute (FALSE)");
+                    pTemplate[i].ulValueLen = (CK_ULONG)1;
+                   if (pTemplate[i].pValue != 0) {
+                       ((char*)(pTemplate[i].pValue))[0] = 0;
+                   }
+                   rv = CKR_OK;
+               } else
+               {
                 pTemplate[i].ulValueLen = (CK_ULONG)-1;
                 perm_rv = rv;
                 rv = CKR_OK;
             }
         }
+        }
 
         if ((rv == CKR_OK) && (perm_rv != CKR_OK))
             rv = perm_rv;


I don't say that's the best solution to the problem, but it is necessary for 
any activities that use a private key using the Sun PKCS11 provider configured 
to use libmusclepkcs11. The better solution, no doubt, would be to insure that 
private keys actually *have* those attributes so that libmusclepkcs11 can find 
them.

It's also unclear to me why jarsigner only works with -sigalg specified. Even 
if I specify md5withrsa (which is supposed to be jarsigner's default), it 
*works*, but without any sigalg argument, it fails.

On Feb 23, 2010, at 1:39 AM, Nick Sayer wrote:

> Eureka.
> 
> Just as I was about to give up, I wrote some sample code that signed a blob 
> of crap with the private key and verified it against the cert. And it worked. 
> So I wondered if the issue had something to do with the choice of signature 
> algorithms.
> 
> And sure enough
> 
> jarsigner -sigalg sha256withrsa -storetype pkcs11 gpj.jar signer
> 
> works.
> 
> And jarsigner -verify gpj.jar also works.
> 
> Unless there is some reason why such a signature would not be acceptable for 
> things like webstart, I think that means that I could happily put a code 
> signing cert and key on a smart card and leave it sitting on my desk except 
> when I wanted to use it. Which is nice and secure.
> 
> 
> 
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle


_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle

Reply via email to