pkinit/opensc/soft-pkcs11

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

pkinit/opensc/soft-pkcs11

Matthew Andrews-2
so after wrestling with a mass of linking problems I seem to finally
have openssl, heimdal, opensc, and soft-pkcs11 all built with debugging
and without optimization(YAY!). now however I'm still having some
trouble getting it all to work.

when I run "kinit -C
ENGINE:ENGINE=dynamic,PRE=SO_PATH:/opt/opensc-0.9.6/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/local/lib/soft-pkcs11.so,CERT=/tmp/x509up_u31765,KEY=slot_0
ma3d"

I get the following error:
kinit: krb5_get_init_creds: Can't decrypt key: error:2A008404:PKCS11
library:PKCS11_rsa_decrypt:Not supported

now this seems to be a case of openssl trying to use the engine that was
loaded to decrypt something which soft-pkcs11 does not do. Is this
supposed to fail in this way?

Love, I notice that you have this error on your pkinit for heimdal page.
Is it currently possible to use soft-pkcs11 with heimdal pkinit?

Just fyi I'm using heimdal-20050927, opensc-0.9.6, openssl-0.9.8, and
soft-pkcs11-1.3.

(I could have sworn I saw this work once, but then again I might just be
completely halucinating after spending 3 out of the last four days on
this stuff.)

-Matt
Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Douglas E. Engert


Matthew N. Andrews wrote:
> so after wrestling with a mass of linking problems I seem to finally
> have openssl, heimdal, opensc, and soft-pkcs11 all built with debugging
> and without optimization(YAY!). now however I'm still having some
> trouble getting it all to work.
>
> when I run "kinit -C
> ENGINE:ENGINE=dynamic,PRE=SO_PATH:/opt/opensc-0.9.6/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/local/lib/soft-pkcs11.so,CERT=/tmp/x509up_u31765,KEY=slot_0
> ma3d"
>

With the cert in /tmp/x509up_u31765 it looks like you are trying to
use a Globus proxy cert. The private key sould also be in the same file
so it is not clear why you need the engine or pkcs11 at all. Try changing
KEY=slot_0 to KEY=/tmp/x509up_u31765.



> I get the following error:
> kinit: krb5_get_init_creds: Can't decrypt key: error:2A008404:PKCS11
> library:PKCS11_rsa_decrypt:Not supported
>
> now this seems to be a case of openssl trying to use the engine that was
> loaded to decrypt something which soft-pkcs11 does not do. Is this
> supposed to fail in this way?
>
> Love, I notice that you have this error on your pkinit for heimdal page.
> Is it currently possible to use soft-pkcs11 with heimdal pkinit?
>
> Just fyi I'm using heimdal-20050927, opensc-0.9.6, openssl-0.9.8, and
> soft-pkcs11-1.3.
>
> (I could have sworn I saw this work once, but then again I might just be
> completely halucinating after spending 3 out of the last four days on
> this stuff.)
>
> -Matt
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Love Hörnquist Åstrand
In reply to this post by Matthew Andrews-2

"Matthew N. Andrews" <[hidden email]> writes:

> I get the following error:
> kinit: krb5_get_init_creds: Can't decrypt key: error:2A008404:PKCS11
> library:PKCS11_rsa_decrypt:Not supported

Isn't this because its not supported in the opensc pkcs11 engine ?

Try using DH instead (kinit --pkinit-use-dh), that will only work with
current Heimdal.

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Matthew Andrews-2
Love Hörnquist Åstrand wrote:

>"Matthew N. Andrews" <[hidden email]> writes:
>
>  
>
>>I get the following error:
>>kinit: krb5_get_init_creds: Can't decrypt key: error:2A008404:PKCS11
>>library:PKCS11_rsa_decrypt:Not supported
>>    
>>
>
>Isn't this because its not supported in the opensc pkcs11 engine ?
>
>Try using DH instead (kinit --pkinit-use-dh), that will only work with
>current Heimdal.
>
>Love
>
>  
>
Yes, I believe that the "Not Supported" error is orriginating in
soft-pkcs11. I was just trying to figure out how you would succesfully
use soft-pkcs11 with kinit if this was the case. is there a way to get
openssl to use the engine only for certain operations?

thanks for the note aout --pkinit-use-dh, I'll try that out for now.

-Matt Andrews
Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Love Hörnquist Åstrand

Matthew Andrews <[hidden email]> writes:

> Yes, I believe that the "Not Supported" error is orriginating in
> soft-pkcs11. I was just trying to figure out how you would succesfully
> use soft-pkcs11 with kinit if this was the case. is there a way to get
> openssl to use the engine only for certain operations?

I think the error is from this snippet of code in opensc's openssl engine.
Its doesn't support rsa encryption. soft-pkcs11 does support rsa
encryption.

static int
pkcs11_rsa_encrypt(int flen, const unsigned char *from, unsigned char *to,
                   RSA * rsa, int padding)
{
        /* PKCS11 calls go here */
        PKCS11err(PKCS11_F_PKCS11_RSA_ENCRYPT, PKCS11_NOT_SUPPORTED);
        return -1;
}

> thanks for the note aout --pkinit-use-dh, I'll try that out for now.

I think I'll make using DH the default when I verify that my code written
that parses the dh group info is correct.

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Matthew Andrews-2
Love Hörnquist Åstrand wrote:

> Matthew Andrews <[hidden email]> writes:
>
>
>>Yes, I believe that the "Not Supported" error is orriginating in
>>soft-pkcs11. I was just trying to figure out how you would succesfully
>>use soft-pkcs11 with kinit if this was the case. is there a way to get
>>openssl to use the engine only for certain operations?
>
>
> I think the error is from this snippet of code in opensc's openssl engine.
> Its doesn't support rsa encryption. soft-pkcs11 does support rsa
> encryption.
>
> static int
> pkcs11_rsa_encrypt(int flen, const unsigned char *from, unsigned char *to,
>   RSA * rsa, int padding)
> {
> /* PKCS11 calls go here */
> PKCS11err(PKCS11_F_PKCS11_RSA_ENCRYPT, PKCS11_NOT_SUPPORTED);
> return -1;
> }
>
>

you're absolutely right about this. I even walked through thisin gdb but
it was late and I was getting tired, and sloppy and thought I was in the
soft-pkcs11 library, not the opensc library. sorry about that.

and again thanks for the help. At this point I can successfully use
kinit to get tickets using a key pulled from soft-pkcs11. now I just
need to add a mechanism to soft-pkcs11 that has it require a login, and
uses the login pin to acquire credentials for the user. time to read up
a little more on pkcs11, and figure out how I'm going to be able to get
a username(principal) all the way from the heimdal library layer down to
the pkcs11 layer(maybe as a pkcs11 object attribute that is searched for?).

Just in case anyone cares, my goal here is to have a pkcs11 software
token that requires login to retrieve a user key/cert pair, and to upon
"login" to actually acquire the key/cert from a globus myproxy server.

I'm not sure if anyone else would be interested in additional hooks in
soft-pkcs11 to retrieve a credential from some external source requiring
a login, but if there's interest I'd be happy to make this as generic as
possible, and contribute it back.

-Matt Andrews




>>thanks for the note aout --pkinit-use-dh, I'll try that out for now.
>
>
> I think I'll make using DH the default when I verify that my code written
> that parses the dh group info is correct.
>
> Love
>

Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Douglas E. Engert


Matthew N. Andrews wrote:

> Love Hörnquist Åstrand wrote:
>
>> Matthew Andrews <[hidden email]> writes:
>>
>>
>>> Yes, I believe that the "Not Supported" error is orriginating in
>>> soft-pkcs11. I was just trying to figure out how you would succesfully
>>> use soft-pkcs11 with kinit if this was the case. is there a way to get
>>> openssl to use the engine only for certain operations?
>>
>>
>>
>> I think the error is from this snippet of code in opensc's openssl
>> engine.
>> Its doesn't support rsa encryption. soft-pkcs11 does support rsa
>> encryption.
>>
>> static int
>> pkcs11_rsa_encrypt(int flen, const unsigned char *from, unsigned char
>> *to,
>>            RSA * rsa, int padding)
>> {
>>     /* PKCS11 calls go here */
>>     PKCS11err(PKCS11_F_PKCS11_RSA_ENCRYPT, PKCS11_NOT_SUPPORTED);
>>     return -1;
>> }
>>
>>
>
> you're absolutely right about this. I even walked through thisin gdb but
> it was late and I was getting tired, and sloppy and thought I was in the
> soft-pkcs11 library, not the opensc library. sorry about that.
>
> and again thanks for the help. At this point I can successfully use
> kinit to get tickets using a key pulled from soft-pkcs11. now I just
> need to add a mechanism to soft-pkcs11 that has it require a login, and
> uses the login pin to acquire credentials for the user. time to read up
> a little more on pkcs11, and figure out how I'm going to be able to get
> a username(principal) all the way from the heimdal library layer down to
> the pkcs11 layer(maybe as a pkcs11 object attribute that is searched for?).
>
> Just in case anyone cares, my goal here is to have a pkcs11 software
> token that requires login to retrieve a user key/cert pair, and to upon
> "login" to actually acquire the key/cert from a globus myproxy server.

So how are you authenticating to the myproxy?
It is not clear why you are trying to do all of this from the the pkcs11.
It sounds like it should be multiple operations. Maybe via PAM.
Are going to use the "pin" to authenticate to the myproxy?

>
> I'm not sure if anyone else would be interested in additional hooks in
> soft-pkcs11 to retrieve a credential from some external source requiring
> a login, but if there's interest I'd be happy to make this as generic as
> possible, and contribute it back.
>
> -Matt Andrews
>
>
>
>
>>> thanks for the note aout --pkinit-use-dh, I'll try that out for now.
>>
>>
>>
>> I think I'll make using DH the default when I verify that my code written
>> that parses the dh group info is correct.
>>
>> Love
>>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Matthew Andrews-2
Douglas E. Engert wrote:
...

>>
>> Just in case anyone cares, my goal here is to have a pkcs11 software
>> token that requires login to retrieve a user key/cert pair, and to
>> upon "login" to actually acquire the key/cert from a globus myproxy
>> server.
>
>
> So how are you authenticating to the myproxy?
> It is not clear why you are trying to do all of this from the the pkcs11.
> It sounds like it should be multiple operations. Maybe via PAM.
> Are going to use the "pin" to authenticate to the myproxy?
>

Yes I plan on using the pin. my rational for going the pkcs11 route is
that it means that users will be able to acquire new credentials post
login simply by running kinit. The password to the myproxy server is
validated against an OTP server. If/when sometime down the road we shift
to using smart cards for authentication rather than OTP fobs, it simply
means that we swap out the myproxy/soft-pkcs11 library for one that
actually interfaces with whatever smartcard we end up standardizing on.

multi module pam stacks work fine for initial login, but I don't know of
a generic pam aware "acquire new credentials" application.

I'm open to alternate suggestions, but I think that the user experience
of having kinit do the right thing without needing the user to
explicitly take the myproxy step will be a win. I could just replace
kinit with a script that does both kinit and myproxy, however if I can
come up with a solution that just requires configuration changes to what
will ultimately be the standard heimdal code/apps rather than replacing
them with wrappers I'll be happier.


-Matt
Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Matthew Andrews-2
Hmmm...

upon further consideration I think you're right(sorta). pkcs11 is not
really what I want here. it's more likely that what I want is actually
simply a engine_myproxy.sa that provides ENGINE_load_private_key, and
ENGINE_load_public_key, and ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL" ...

whee!!!!


Matthew N. Andrews wrote:

> Douglas E. Engert wrote:
> ...
>
>>>
>>> Just in case anyone cares, my goal here is to have a pkcs11 software
>>> token that requires login to retrieve a user key/cert pair, and to
>>> upon "login" to actually acquire the key/cert from a globus myproxy
>>> server.
>>
>>
>>
>> So how are you authenticating to the myproxy?
>> It is not clear why you are trying to do all of this from the the pkcs11.
>> It sounds like it should be multiple operations. Maybe via PAM.
>> Are going to use the "pin" to authenticate to the myproxy?
>>
>
> Yes I plan on using the pin. my rational for going the pkcs11 route is
> that it means that users will be able to acquire new credentials post
> login simply by running kinit. The password to the myproxy server is
> validated against an OTP server. If/when sometime down the road we shift
> to using smart cards for authentication rather than OTP fobs, it simply
> means that we swap out the myproxy/soft-pkcs11 library for one that
> actually interfaces with whatever smartcard we end up standardizing on.
>
> multi module pam stacks work fine for initial login, but I don't know of
> a generic pam aware "acquire new credentials" application.
>
> I'm open to alternate suggestions, but I think that the user experience
> of having kinit do the right thing without needing the user to
> explicitly take the myproxy step will be a win. I could just replace
> kinit with a script that does both kinit and myproxy, however if I can
> come up with a solution that just requires configuration changes to what
> will ultimately be the standard heimdal code/apps rather than replacing
> them with wrappers I'll be happier.
>
>
> -Matt
>
>

Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Douglas E. Engert
Since you are trying to use a Globus proxy file, all the code you
need may already be present and you don't need the engine at all.

Can you try:

kinit -C FILE:tmp/x509up_u31765,tmp/x509up_u31765 ma3d

This will use the load_openssl_file,(rather then the load_openssl_engine)
and use the proxy file for the cert and key.


Matthew N. Andrews wrote:

> Hmmm...
>
> upon further consideration I think you're right(sorta). pkcs11 is not
> really what I want here. it's more likely that what I want is actually
> simply a engine_myproxy.sa that provides ENGINE_load_private_key, and
> ENGINE_load_public_key, and ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL" ...
>
> whee!!!!
>
>
> Matthew N. Andrews wrote:
>
>> Douglas E. Engert wrote:
>> ...
>>
>>>>
>>>> Just in case anyone cares, my goal here is to have a pkcs11 software
>>>> token that requires login to retrieve a user key/cert pair, and to
>>>> upon "login" to actually acquire the key/cert from a globus myproxy
>>>> server.
>>>
>>>
>>>
>>>
>>> So how are you authenticating to the myproxy?
>>> It is not clear why you are trying to do all of this from the the
>>> pkcs11.
>>> It sounds like it should be multiple operations. Maybe via PAM.
>>> Are going to use the "pin" to authenticate to the myproxy?
>>>
>>
>> Yes I plan on using the pin. my rational for going the pkcs11 route is
>> that it means that users will be able to acquire new credentials post
>> login simply by running kinit. The password to the myproxy server is
>> validated against an OTP server. If/when sometime down the road we
>> shift to using smart cards for authentication rather than OTP fobs, it
>> simply means that we swap out the myproxy/soft-pkcs11 library for one
>> that actually interfaces with whatever smartcard we end up
>> standardizing on.
>>
>> multi module pam stacks work fine for initial login, but I don't know
>> of a generic pam aware "acquire new credentials" application.
>>
>> I'm open to alternate suggestions, but I think that the user
>> experience of having kinit do the right thing without needing the user
>> to explicitly take the myproxy step will be a win. I could just
>> replace kinit with a script that does both kinit and myproxy, however
>> if I can come up with a solution that just requires configuration
>> changes to what will ultimately be the standard heimdal code/apps
>> rather than replacing them with wrappers I'll be happier.
>>
>>
>> -Matt
>>
>>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
Reply | Threaded
Open this post in threaded view
|

Re: pkinit/opensc/soft-pkcs11

Matthew Andrews-2
I am not trying just to use a proxy file. what I actually want is to in
face actually retrieve that cert/key from the myproxy server on the fly
when kinit asks for it using the krb5/ssl prompter to ask for the
myproxy password. IE before the kinit runs, there is no myproxy
credential anywhere on the machine.

the reason I was using the myproxy file before was to test that all the
pieces I wanted to use were working before I started modifying
them(helps diferentiate bugs I introduce from pre-existing
bugs/configuration errors, and also helped me get a feel for how the
whole stack fit together).

-Matt

Douglas E. Engert wrote:

> Since you are trying to use a Globus proxy file, all the code you
> need may already be present and you don't need the engine at all.
>
> Can you try:
>
> kinit -C FILE:tmp/x509up_u31765,tmp/x509up_u31765 ma3d
>
> This will use the load_openssl_file,(rather then the load_openssl_engine)
> and use the proxy file for the cert and key.
>
>
> Matthew N. Andrews wrote:
>
>> Hmmm...
>>
>> upon further consideration I think you're right(sorta). pkcs11 is not
>> really what I want here. it's more likely that what I want is actually
>> simply a engine_myproxy.sa that provides ENGINE_load_private_key, and
>> ENGINE_load_public_key, and ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL" ...
>>
>> whee!!!!
>>
>>
>> Matthew N. Andrews wrote: