[39317] in Kerberos
Re: Using PKINIT with ECC
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Sun Nov 19 12:43:31 2023
Message-ID: <202311191741.3AJHfvZV019105@hedwig.cmf.nrl.navy.mil>
To: Goetz Golla <mit@sec4mail.de>
cc: kerberos@mit.edu
In-Reply-To: <81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de>
MIME-Version: 1.0
Date: Sun, 19 Nov 2023 12:41:57 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>P:296321; T:0x140609979246400 17:33:26.054 [opensc-pkcs11]
>pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_KEY_HANDLE_INVALID
As a follow-up to my previous message, I believe the problem is that for
_smartcards_ the PKCS#11 mechanism is hardcoded to CKM_RSA_PKCS:
/*
* We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
* historically many cards seem to be confused about whether they are
* capable of mechanisms or not. The safe thing seems to be to ignore the
* mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
* ourselves.
*/
id_cryptoctx->mech = CKM_RSA_PKCS;
There's a CKM_ECDSA_SHA1 mechanism which does the hashing for you, and
there's also a CKM_ECDSA mechanism where you have to calculate the hash
value which is kind of close (but not exactly the same as) to CKM_RSA_PKCS.
So, dang, code is going to have to be written.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
