What Should I Push On?

Henry B. Hotz hotz at jpl.nasa.gov
Sat May 5 13:58:01 EDT 2012 

Thanks for the info.  I may have issues to deal with after this one.  *sigh*

Since the specific problem shows with a PKCS12 credential as well, I'm thinking I should get a real RedHat 6.2 instance to test with first.

On May 4, 2012, at 1:40 PM, Douglas E. Engert wrote:

> On 5/4/2012 8:57 AM, Douglas E. Engert wrote:
>> 
>> 
>> On 5/3/2012 11:18 PM, Greg Hudson wrote:
>>> On 05/03/2012 08:52 PM, Henry B. Hotz wrote:
>>>> [5571] 1336088306.8828: Selected etype info: etype aes256-cts, salt "SC.JPL.NASA.GOVhotz", params "
>>>> CoolKey PIN:
>>>> [5571] 1336088310.707006: Preauth module pkinit (16) (flags=1) returned: 12/Cannot allocate memory
>>>> [5571] 1336088310.708361: Preauth module pkinit (15) (flags=1) returned: 12/Cannot allocate memory
>>> 
>>> That almost certainly indicates a bug--either in our code, the
>>> Scientific Linux packaging of it, or the PKCS11 library invoked for the
>>> PIV card.
>> 
>> 
>> What version of coolkey are you running? In the past coolkey only supported
>> the CAC cards. DOD has been moving to dual CAC and PIV cards. NASA cards may
>> be PIV only, thus may not work with some versions of coolkey.
>> 
>> To test if it is a PKCS#11 issue, OpenSC has a pkcs11-spy module
>> that could be used to trace the PKCS#11 calls and results.
>> 
>> export PKCS11SPY=/usr/lib64/pkcs11/libcoolkeypk11.so
>> kinit -X X509_user_identity=PKCS11:/path/to/pkcs11-spy.so hotz at SC.JPL.NASA.GOV
>> 
>> OpenSC also has PKCS#11 and supports PIV.
>> 
> 
> I got coolkey-1.1.0-19 to build on Solaris 10 in 32 bit mode. (although
> some of the patches from the rpm to the 1.1.0 source did
> not apply cleanly and I have to make a minor modification for Solaris.)
> 
> Using krb5-1.10.1 and the OpenSC pkcs11spy and a PIV card,
> I can see it reads the certificates, prompted for PIN and did a C_Sign operation
> but coolkey only returns 122 bytes rather then 128 bytes as expected for the signature.
> 
> I then get a kinit: Message stream modified while getting initial credentials.
> 
> So it looks like there are some problems in the coolkey code in processing the
> returned signature.
> 
> Using the same card, with krb5-1.10.1 and OpenSC pkcs11 works.
> 
>> 
>>> 
>>> Unfortunately, I think the next step is to grab the SRPM for krb5 and
>>> either (a) build with debugging symbols (and without optimization) and
>>> start poking around in gdb, or (b) build with the PKINIT debugging
>>> defines turned on and collect more information.  Either is pretty
>>> time-consuming.
>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>> 
>>> 
>> 
> 
> -- 
> 
> Douglas E. Engert  <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois  60439
> (630) 252-5444

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list