[opensc-user] PIN not always requested?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[opensc-user] PIN not always requested?

Geoffrey Elgey-2
G'day,

[not sure if this is a muscle, opensc, or heimdal problem, so
cross-posting to multiple lists]

I'm having a problem when using Heimdal pkinit with opensc's
pkcs11-enabled crypto engine and the pkcs#11 library provided with muscle.

When I do a kinit using the gemplus PKCS#11 library and a gemsafe card,
I get asked for a PIN to access the private key on the card:

   $ pkcs11-tool --module /usr/lib/gemsafe/libgemsafe.so --show-info
   Cryptoki version 2.1
   Manufacturer     Gemplus
   Library          PKCS#11 Cryptoki (ver 4.0)

   $ pkcs11-tool --module /usr/lib/gemsafe/libgemsafe.so --list-slots
   Available slots:
   Slot 0           Twin 00 00
   token state:   uninitialized

   $ /usr/heimdal/bin/kinit -C ENGINE:CERT=slot_0,KEY=slot_0
   initializing engine
   Found 1 slot
   [0] Twin 00 00                 uninitialized, login
                                  (GemSAFE-D808250F240D)
   Found slot:  Twin 00 00
   Found token: GemSAFE-D808250F240D
   Found 1 cert:
   Found 1 slot
   [0] Twin 00 00                 uninitialized, login
                                  (GemSAFE-D808250F240D)
   Found slot:  Twin 00 00
   Found token: GemSAFE-D808250F240D
   Found 1 certificate:
      1     (/DC=vas/DC=sc/CN=Users/CN=Matlock)
   PKCS#11 token PIN:
   Found 1 key:
      1 P

However, when I replace the gemsafe PKCS#11 library with the muscle
pkcs#11 library abd a cyberflex card, there is no prompt for the PIN:

   $ pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so --show-info
   Cryptoki version 2.11
   Manufacturer     SCHLUMBERGER
   Library          SLB PKCS #11 module (ver 1.0)

   $ pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so --list-slots
   Available slots:
   Slot 1           SCR 331 00 00
     token label:   MuscleCard Applet
     token manuf:   Unknown MFR
     token model:   Unknown Model
     token flags:   rng, login required, PIN initialized, token
                    initialized
     serial num  :  1

   $ /usr/heimdal/bin/kinit -C ENGINE:CERT=slot_0,KEY=slot_0
   initializing engine
   Found 1 slot
   [0] SCR 331 00 00              login             (MuscleCard Applet)
   Found slot:  SCR 331 00 00
   Found token: MuscleCard Applet
   Found 1 cert:
   Found 1 slot
   [0] SCR 331 00 00              login             (MuscleCard Applet)
   Found slot:  SCR 331 00 00
   Found token: MuscleCard Applet
   Found 1 certificate:
      1    DC=vas, DC=sc, CN=Users, CN=Matlock
           (/DC=vas/DC=sc/CN=Users/CN=Matlock)
   Found 1 key:
      1 P  DC=vas, DC=sc, CN=Users, CN=Matlock \
    kinit: krb5_get_init_creds: PKINIT: failed to sign with private key:
    error:2A00A101:PKCS11 library:PKCS11_rsa_sign:User not logged in


I suspect that deep within the crypto engine, code is looking at the
token flags and deciding if asking for a PIN is necessary. The token
flags seem a bit strange for the gemsafe card, but a PIN is requested.
However, no PIN is requested for the muscle card, even though the token
flags specify that login is required.

Can anyone explain what is happenning here?

-- Geoff
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user