[opensc-devel] Using Heimdal PKINIT with OpenSC-0.10.0 loading the key before loading the cert

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[opensc-devel] Using Heimdal PKINIT with OpenSC-0.10.0 loading the key before loading the cert

Douglas E. Engert
OpenSC-0.10.0, engine-pkcs11-0.1.2, and libp11-0.2.0 were released
yesterday. They contain two fixes and a change in the format of the string
used withthe PKINIT  KEY= and CERT=.


ENGINE:KEY=slot_0,CERT=slot_0 will no longer work, but
ENGINE:KEY=1,CERT=1 will. This says use cert and key ID 1 from the
first card found. (Other formats may also work but not slot_0)

The first fix causes the PKCS11 to be closed and the card disconnected
when the engine is finished.  Without this fix gdm uisng pam_krb5
to use PKINIT would lock on to the card/reader and not allow other
processes to use the card, as gdm keeps running in the background.

The second fix allows the engine load_cert_ctrl routines to be called
after the engine_load_private_key. Before this fix if the order was
switched the engine could not access the key when needed, as the
load_cert_ctrl would have dropped the connection for the key.

Attached is a patch to pkinit.c that reverses the order of the calls
to the load_cert_ctrl and the load_private_key, so the load_private_key
is done first. This will use the PIN to login to the card, and will
then allow pin protected certificates to be read off the card.

The NIST SP800-73 PIV card specification calls for the certificate to
be protected by the pin, so this change will allow these cards to work.
NIST may change the standard, as there are no other cards that keep
the certificate private, and most other applications try and read the
certificate before asking for a pin.

So if this patch is installed, engine_pkcs11-0.1.2 is also required.

Thanks.



--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

--- lib/krb5/,pkinit.c Sun Sep 25 10:14:31 2005
+++ lib/krb5/pkinit.c Wed Oct 19 08:13:36 2005
@@ -2307,32 +2307,7 @@
     if (ret)
  goto out;
 
-    /*
-     * If the engine supports a LOAD_CERT_CTRL function, lets try
-     * it. OpenSC support this function. Eventially this should be
-     * a ENGINE_load_cert function if it failes, treat it like a
-     * non fatal error.
-     */
-    {
- struct {
-    const char * cert_id;
-    X509 * cert;
- } parms;
-
- parms.cert_id = ctx.cert_file;
- parms.cert = NULL;
- ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
- if (parms.cert) {
-    id->cert = sk_X509_new_null();
-    sk_X509_insert(id->cert, parms.cert, 0);
- }  
-    }
-
-    if (id->cert == NULL) {
- ret = load_openssl_cert(context, ctx.cert_file, &id->cert);
- if (ret)
-    goto out;
-    }
+ /* load key before cert, incase smartcard pin is required for cert */
 
     {
  UI_METHOD * krb5_ui_method = NULL;
@@ -2362,6 +2337,33 @@
  UI_destroy_method(krb5_ui_method);
     }
 
+    /*
+     * If the engine supports a LOAD_CERT_CTRL function, lets try
+     * it. OpenSC support this function. Eventially this should be
+     * a ENGINE_load_cert function if it failes, treat it like a
+     * non fatal error.
+     */
+    {
+ struct {
+    const char * cert_id;
+    X509 * cert;
+ } parms;
+
+ parms.cert_id = ctx.cert_file;
+ parms.cert = NULL;
+ ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
+ if (parms.cert) {
+    id->cert = sk_X509_new_null();
+    sk_X509_insert(id->cert, parms.cert, 0);
+ }  
+    }
+
+    if (id->cert == NULL) {
+ ret = load_openssl_cert(context, ctx.cert_file, &id->cert);
+ if (ret)
+    goto out;
+    }
+
     if (id->private_key == NULL) {
  krb5_set_error_string(context,
       "PKINIT: failed to load private key: %s",

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: [opensc-devel] Using Heimdal PKINIT with OpenSC-0.10.0 loading the key before loading the cert

Andreas Jellinghaus-2
Hi Douglas,


sorry, I broke engine_pkcs11.
could you try engine_pkcs11 and libp11, both trunk or
2005-11-05 (available in a few hours)?

I added:
 - make PKCS11_get_rsa_method public (compile fix for windows)
 - allow to not give any slot/key/cert string.
 - allow to specify slot only

If it fixes your issue, I will release updated versions of
libp11 and engine_pkcs11 :)

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: [opensc-devel] Using Heimdal PKINIT with OpenSC-0.10.0 loading the key before loading the cert

Douglas E. Engert


Andreas Jellinghaus wrote:

> Hi Douglas,
>
>
> sorry, I broke engine_pkcs11.
> could you try engine_pkcs11 and libp11, both trunk or
> 2005-11-05 (available in a few hours)?
>
> I added:
>  - make PKCS11_get_rsa_method public (compile fix for windows)
>  - allow to not give any slot/key/cert string.
>  - allow to specify slot only
>

I am on vacation so it would be hard to test, as the cards are at work.
I can get along without the slot_0, but it would be nive to have
it work in the future. So don't do any special release just for me.


> If it fixes your issue, I will release updated versions of
> libp11 and engine_pkcs11 :)
>

also look at:

    125  int pkcs11_finish(ENGINE * engine)
    126  {
    127      if (ctx) {
    128          PKCS11_CTX_unload(ctx);
    129      }

There used to be a:

    PKCS11_CTX_free(ctx);

Should the code actually have:

    125  int pkcs11_finish(ENGINE * engine)
    126  {
    127      if (ctx) {
    128          PKCS11_CTX_unload(ctx);
                PKCS11_CTX_free(ctx);
                ctx = NULL;
    129      }

without these Is there a possibility of a memory leak as well?


> Andreas
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: [opensc-devel] Using Heimdal PKINIT with OpenSC-0.10.0 loading the key before loading the cert

Andreas Jellinghaus-2
Am Donnerstag 03 November 2005 23:39 schrieb Douglas E. Engert:
> I am on vacation so it would be hard to test, as the cards are at work.
> I can get along without the slot_0, but it would be nive to have
> it work in the future. So don't do any special release just for me.

ah, ok. don't worry, those are simply bugs I want to get fixed.
for example engine_pkcs11 right now does not compile on
windows without the first patch, so there is good reason
for a new release.

> also look at:
>
>     125  int pkcs11_finish(ENGINE * engine)
>     126  {
>     127      if (ctx) {
>     128          PKCS11_CTX_unload(ctx);
>     129      }
>
> There used to be a:
>
>     PKCS11_CTX_free(ctx);

yes, but the free only didn't work: openssl failed in a
load / use / unload / try to load again cycle.

>
> Should the code actually have:
>
>     125  int pkcs11_finish(ENGINE * engine)
>     126  {
>     127      if (ctx) {
>     128          PKCS11_CTX_unload(ctx);
> PKCS11_CTX_free(ctx);
> ctx = NULL;
>     129      }

right, unload and free are much better.
maybe we should even fix free to also
do the unload, if someone forgets?

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Using Heimdal PKINIT with OpenSC-0.10.0 loading the key before loading the cert

Love Hörnquist Åstrand
In reply to this post by Douglas E. Engert

"Douglas E. Engert" <[hidden email]> writes:

> So if this patch is installed, engine_pkcs11-0.1.2 is also required.

I'll apply you patch and update the examples when I get back to network,
thanks.

Love


attachment0 (487 bytes) Download Attachment