Using PKINIT with ECC

Ken Hornstein kenh at cmf.nrl.navy.mil
Sun Nov 19 12:41:57 EST 2023


>P:296321; T:0x140609979246400 17:33:26.054 [opensc-pkcs11] 
>pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_KEY_HANDLE_INVALID

As a follow-up to my previous message, I believe the problem is that for
_smartcards_ the PKCS#11 mechanism is hardcoded to CKM_RSA_PKCS:

    /*
     * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
     * historically many cards seem to be confused about whether they are
     * capable of mechanisms or not. The safe thing seems to be to ignore the
     * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
     * ourselves.
     */
    id_cryptoctx->mech = CKM_RSA_PKCS;

There's a CKM_ECDSA_SHA1 mechanism which does the hashing for you, and
there's also a CKM_ECDSA mechanism where you have to calculate the hash
value which is kind of close (but not exactly the same as) to CKM_RSA_PKCS.
So, dang, code is going to have to be written.

--Ken


More information about the Kerberos mailing list