>We had it working in November with Yubico's libykcs11 in a lab and in >production tested by two independent people. Testing it again this year >it failed. We are in the process of finding out what exactly we have >tested in November. > >I am really confused now. I thought that the problem was in the opensc >code and replacing it with Yubico's libykcs11, which officially supports >ECC, should fix it. > >Now you seem to suggest that the problem is in the Kerberos code ?
Well, geez dude, this was back in November and I brought this up then. But here is some snippets of the PKCS#11 code in MIT Kerberos: When specifying the search parameters to find the private key: keytype = CKK_RSA; attrs[nattrs].type = CKA_KEY_TYPE; attrs[nattrs].pValue = &keytype; attrs[nattrs].ulValueLen = sizeof keytype; nattrs++; When setting the key signing mechanism: /* * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but * historically many cards seem to be confused about whether they are * capable of mechanisms or not. The safe thing seems to be to ignore the * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest * ourselves. */ id_cryptoctx->mech = CKM_RSA_PKCS; Those are all hardcoded use of RSA keys and signing mechanisms and it doesn't handle ECC at all. So unless the Yubico library ignored the key type and mechanism (which I think would be extremely unlikely but not impossible) I suspect you were using RSA back during your original testing and didn't realize it. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos