[39316] in Kerberos
Re: Using PKINIT with ECC
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Sun Nov 19 12:34:42 2023
Message-ID: <202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil>
To: Goetz Golla <mit@sec4mail.de>
cc: kerberos@mit.edu
In-Reply-To: <81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de>
MIME-Version: 1.0
Date: Sun, 19 Nov 2023 12:33:10 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>P:296321; T:0x140609979246400 17:33:26.054 [opensc-pkcs11]
>pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_KEY_HANDLE_INVALID
>
>So there is some problem with opensc-pkcs11. Interestingly I am using
>the same Yubikey successfully with pam-pkcs11 to authenticate without
>problems.
CKR_KEY_HANDLE_INVALID means "The handle passed is not a a valid key".
Which is not exactly helpful ("handles" in PKCS#11 are nonzero integers
and refer to objects on the card). You MIGHT be running into an issue
where there is a bug in the PKINIT code that makes PKCS#11 calls but
that code has been stable for a long time so I would be surprised if the
failure was there (but, I have been surprised before!). I believe there
is some environment variable or other configuration you can set to get
more debugging information out of opensc but I don't recall it right
now.
However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
you tried that? The OpenSC people usually do a good job in terms of
supporting a wide variety of cards but depending on how old the particular
version of OpenSC you are using is you may be running into a compatibility
issue.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
