What Should I Push On?

Dmitri Pal dpal at redhat.com
Mon May 14 16:31:02 EDT 2012 

On 05/05/2012 01:58 PM, Henry B. Hotz wrote:
> Thanks for the info.  I may have issues to deal with after this one.  *sigh*
>
> Since the specific problem shows with a PKCS12 credential as well, I'm thinking I should get a real RedHat 6.2 instance to test with first.
>

Is there any way to get these cards to Red Hat for us to be able test
this issue?
If this is an option please contact me off list.

> On May 4, 2012, at 1:40 PM, Douglas E. Engert wrote:
>
>> On 5/4/2012 8:57 AM, Douglas E. Engert wrote:
>>>
>>> On 5/3/2012 11:18 PM, Greg Hudson wrote:
>>>> On 05/03/2012 08:52 PM, Henry B. Hotz wrote:
>>>>> [5571] 1336088306.8828: Selected etype info: etype aes256-cts, salt "SC.JPL.NASA.GOVhotz", params "
>>>>> CoolKey PIN:
>>>>> [5571] 1336088310.707006: Preauth module pkinit (16) (flags=1) returned: 12/Cannot allocate memory
>>>>> [5571] 1336088310.708361: Preauth module pkinit (15) (flags=1) returned: 12/Cannot allocate memory
>>>> That almost certainly indicates a bug--either in our code, the
>>>> Scientific Linux packaging of it, or the PKCS11 library invoked for the
>>>> PIV card.
>>>
>>> What version of coolkey are you running? In the past coolkey only supported
>>> the CAC cards. DOD has been moving to dual CAC and PIV cards. NASA cards may
>>> be PIV only, thus may not work with some versions of coolkey.
>>>
>>> To test if it is a PKCS#11 issue, OpenSC has a pkcs11-spy module
>>> that could be used to trace the PKCS#11 calls and results.
>>>
>>> export PKCS11SPY=/usr/lib64/pkcs11/libcoolkeypk11.so
>>> kinit -X X509_user_identity=PKCS11:/path/to/pkcs11-spy.so hotz at SC.JPL.NASA.GOV
>>>
>>> OpenSC also has PKCS#11 and supports PIV.
>>>
>> I got coolkey-1.1.0-19 to build on Solaris 10 in 32 bit mode. (although
>> some of the patches from the rpm to the 1.1.0 source did
>> not apply cleanly and I have to make a minor modification for Solaris.)
>>
>> Using krb5-1.10.1 and the OpenSC pkcs11spy and a PIV card,
>> I can see it reads the certificates, prompted for PIN and did a C_Sign operation
>> but coolkey only returns 122 bytes rather then 128 bytes as expected for the signature.
>>
>> I then get a kinit: Message stream modified while getting initial credentials.
>>
>> So it looks like there are some problems in the coolkey code in processing the
>> returned signature.
>>
>> Using the same card, with krb5-1.10.1 and OpenSC pkcs11 works.
>>
>>>> Unfortunately, I think the next step is to grab the SRPM for krb5 and
>>>> either (a) build with debugging symbols (and without optimization) and
>>>> start poking around in gdb, or (b) build with the PKINIT debugging
>>>> defines turned on and collect more information.  Either is pretty
>>>> time-consuming.
>>>> _______________________________________________
>>>> krbdev mailing list             krbdev at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>
>>>>
>> -- 
>>
>> Douglas E. Engert  <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois  60439
>> (630) 252-5444
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the krbdev mailing list