Using PKINIT with ECC

Goetz Golla mit at sec4mail.de
Thu Jan 11 09:20:45 EST 2024


On 11/24/23 21:47, Ken Hornstein wrote:
>>> However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
>>> you tried that?  The OpenSC people usually do a good job in terms of
>>> supporting a wide variety of cards but depending on how old the particular
>>> version of OpenSC you are using is you may be running into a compatibility
>>> issue.
>>>
>>> --Ken
>> Indeed the module provided by Yubico solved the issue. It is called
>> ykcs11 and is readily available in the linux package managers.
> I am a LITTLE surprised it worked!  The MIT PKINIT plugin hard-codes
> the mechanism in the request; I guess the Yubico library ignores the
> mechanism given to it, which seems strange to me.
>
> I have to ask ... are you SURE that it's using ECC?  Because the code that
> uses the PKCS#11 library is actually generating a PKCS#1 digest.  I was
> under the impression that ECC signatures are in a different format, so
> I am puzzled how it works at all.

We had it working in November with Yubico's libykcs11 in a lab and in 
production tested by two independent people. Testing it again this year 
it failed. We are in the process of finding out what exactly we have 
tested in November.

I am really confused now. I thought that the problem was in the opensc 
code and replacing it with Yubico's libykcs11, which officially supports 
ECC, should fix it.

Now you seem to suggest that the problem is in the Kerberos code ?

Regards,

Goetz



More information about the Kerberos mailing list