On 11/24/23 21:47, Ken Hornstein wrote:
However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
you tried that? The OpenSC people usually do a good job in terms of
supporting a wide variety of cards but depending on how old the particular
version of OpenSC you are using is you may be running into a compatibility
issue.
--Ken
Indeed the module provided by Yubico solved the issue. It is called
ykcs11 and is readily available in the linux package managers.
I am a LITTLE surprised it worked! The MIT PKINIT plugin hard-codes
the mechanism in the request; I guess the Yubico library ignores the
mechanism given to it, which seems strange to me.
I have to ask ... are you SURE that it's using ECC? Because the code that
uses the PKCS#11 library is actually generating a PKCS#1 digest. I was
under the impression that ECC signatures are in a different format, so
I am puzzled how it works at all.
We had it working in November with Yubico's libykcs11 in a lab and in
production tested by two independent people. Testing it again this year
it failed. We are in the process of finding out what exactly we have
tested in November.
I am really confused now. I thought that the problem was in the opensc
code and replacing it with Yubico's libykcs11, which officially supports
ECC, should fix it.
Now you seem to suggest that the problem is in the Kerberos code ?
Regards,
Goetz
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
