[39322] in Kerberos
Re: Using PKINIT with ECC
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Fri Nov 24 15:49:01 2023
Message-ID: <202311242047.3AOKlYk3019409@hedwig.cmf.nrl.navy.mil>
To: Goetz Golla <mit@sec4mail.de>
cc: kerberos@mit.edu
In-Reply-To: <414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de>
MIME-Version: 1.0
Date: Fri, 24 Nov 2023 15:47:34 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>> However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
>> you tried that? The OpenSC people usually do a good job in terms of
>> supporting a wide variety of cards but depending on how old the particular
>> version of OpenSC you are using is you may be running into a compatibility
>> issue.
>>
>> --Ken
>
>Indeed the module provided by Yubico solved the issue. It is called
>ykcs11 and is readily available in the linux package managers.
I am a LITTLE surprised it worked! The MIT PKINIT plugin hard-codes
the mechanism in the request; I guess the Yubico library ignores the
mechanism given to it, which seems strange to me.
I have to ask ... are you SURE that it's using ECC? Because the code that
uses the PKCS#11 library is actually generating a PKCS#1 digest. I was
under the impression that ECC signatures are in a different format, so
I am puzzled how it works at all.
>[14174] 1700562344.750583: PKINIT error: There are 3 certs, but there
>must be exactly one.
I also use smartcards with multiple certificates, and ... well, I'm
not sure how the code would get it wrong. I would use some PKCS#11
tools to poke at the Yubico library to see what certificates it
says that it has (the KRB5_TRACE output should give you the subjects
of the certificates that it finds).
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
