Using PKINIT with ECC
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Nov 24 15:47:34 EST 2023
>> However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
>> you tried that? The OpenSC people usually do a good job in terms of
>> supporting a wide variety of cards but depending on how old the particular
>> version of OpenSC you are using is you may be running into a compatibility
>> issue.
>>
>> --Ken
>
>Indeed the module provided by Yubico solved the issue. It is called
>ykcs11 and is readily available in the linux package managers.
I am a LITTLE surprised it worked! The MIT PKINIT plugin hard-codes
the mechanism in the request; I guess the Yubico library ignores the
mechanism given to it, which seems strange to me.
I have to ask ... are you SURE that it's using ECC? Because the code that
uses the PKCS#11 library is actually generating a PKCS#1 digest. I was
under the impression that ECC signatures are in a different format, so
I am puzzled how it works at all.
>[14174] 1700562344.750583: PKINIT error: There are 3 certs, but there
>must be exactly one.
I also use smartcards with multiple certificates, and ... well, I'm
not sure how the code would get it wrong. I would use some PKCS#11
tools to poke at the Yubico library to see what certificates it
says that it has (the KRB5_TRACE output should give you the subjects
of the certificates that it finds).
--Ken
More information about the Kerberos
mailing list