Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5232

Re: Using PKINIT with ECC

Show all headers | View raw

>We had it working in November with Yubico's libykcs11 in a lab and in 
>production tested by two independent people. Testing it again this year 
>it failed. We are in the process of finding out what exactly we have 
>tested in November.
>
>I am really confused now. I thought that the problem was in the opensc 
>code and replacing it with Yubico's libykcs11, which officially supports 
>ECC, should fix it.
>
>Now you seem to suggest that the problem is in the Kerberos code ?

Well, geez dude, this was back in November and I brought this up then.
But here is some snippets of the PKCS#11 code in MIT Kerberos:

When specifying the search parameters to find the private key:

    keytype = CKK_RSA;
    attrs[nattrs].type = CKA_KEY_TYPE;
    attrs[nattrs].pValue = &keytype;
    attrs[nattrs].ulValueLen = sizeof keytype;
    nattrs++;

When setting the key signing mechanism:

    /*
     * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
     * historically many cards seem to be confused about whether they are
     * capable of mechanisms or not. The safe thing seems to be to ignore the
     * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
     * ourselves.
     */
    id_cryptoctx->mech = CKM_RSA_PKCS;

Those are all hardcoded use of RSA keys and signing mechanisms and it
doesn't handle ECC at all.  So unless the Yubico library ignored the
key type and mechanism (which I think would be extremely unlikely but
not impossible) I suspect you were using RSA back during your original
testing and didn't realize it.

--Ken

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: Using PKINIT with ECC Ken Hornstein <kenh@cmf.nrl.navy.mil> - 2024-01-11 09:41 -0500

csiph-web