What Should I Push On?

Douglas E. Engert deengert at anl.gov
Fri May 4 16:40:33 EDT 2012 


On 5/4/2012 8:57 AM, Douglas E. Engert wrote:
>
>
> On 5/3/2012 11:18 PM, Greg Hudson wrote:
>> On 05/03/2012 08:52 PM, Henry B. Hotz wrote:
>>> [5571] 1336088306.8828: Selected etype info: etype aes256-cts, salt "SC.JPL.NASA.GOVhotz", params "
>>> CoolKey PIN:
>>> [5571] 1336088310.707006: Preauth module pkinit (16) (flags=1) returned: 12/Cannot allocate memory
>>> [5571] 1336088310.708361: Preauth module pkinit (15) (flags=1) returned: 12/Cannot allocate memory
>>
>> That almost certainly indicates a bug--either in our code, the
>> Scientific Linux packaging of it, or the PKCS11 library invoked for the
>> PIV card.
>
>
> What version of coolkey are you running? In the past coolkey only supported
> the CAC cards. DOD has been moving to dual CAC and PIV cards. NASA cards may
> be PIV only, thus may not work with some versions of coolkey.
>
> To test if it is a PKCS#11 issue, OpenSC has a pkcs11-spy module
> that could be used to trace the PKCS#11 calls and results.
>
> export PKCS11SPY=/usr/lib64/pkcs11/libcoolkeypk11.so
> kinit -X X509_user_identity=PKCS11:/path/to/pkcs11-spy.so hotz at SC.JPL.NASA.GOV
>
> OpenSC also has PKCS#11 and supports PIV.
>

I got coolkey-1.1.0-19 to build on Solaris 10 in 32 bit mode. (although
some of the patches from the rpm to the 1.1.0 source did
not apply cleanly and I have to make a minor modification for Solaris.)

Using krb5-1.10.1 and the OpenSC pkcs11spy and a PIV card,
I can see it reads the certificates, prompted for PIN and did a C_Sign operation
but coolkey only returns 122 bytes rather then 128 bytes as expected for the signature.

I then get a kinit: Message stream modified while getting initial credentials.

So it looks like there are some problems in the coolkey code in processing the
returned signature.

Using the same card, with krb5-1.10.1 and OpenSC pkcs11 works.

>
>>
>> Unfortunately, I think the next step is to grab the SRPM for krb5 and
>> either (a) build with debugging symbols (and without optimization) and
>> start poking around in gdb, or (b) build with the PKINIT debugging
>> defines turned on and collect more information.  Either is pretty
>> time-consuming.
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list