Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Bite off, dirtball." Richard Sexton, richard@gryphon.COM

devel / comp.protocols.kerberos / Re: Using PKINIT with ECC

SubjectAuthor
o Re: Using PKINIT with ECCGoetz Golla

1
Re: Using PKINIT with ECC

<mailman.64.1700815289.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=442&group=comp.protocols.kerberos#442

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.network!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: mit...@sec4mail.de (Goetz Golla)
Newsgroups: comp.protocols.kerberos
Subject: Re: Using PKINIT with ECC
Date: Fri, 24 Nov 2023 09:41:09 +0100
Organization: TNet Consulting
Lines: 45
Message-ID: <mailman.64.1700815289.2263420.kerberos@mit.edu>
References: <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de>
<ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu>
<81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de>
<202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil>
<414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="18426"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=mI3vijj8;
dkim=pass (2048-bit key,
unprotected) header.d=sec4mail.de header.i=@sec4mail.de header.a=rsa-sha256
header.s=default header.b=fmiYYhXG
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=sec4mail.de
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1700815281; cv=pass;
b=Oo1HP6WyxzAGyHYmsgo5lbwOJzWMoTvrwDMeUu1JPE6DFVBiT01xakPiCv+c305d0031DjM+EMD0n3gTHLv3ypZu1I/T8wgj8TJiYMT2pF/qw7MqG+z6mRA8NRywrZeiBUlH5aFXWF2MOLFJemHfxBfbjfR8CHjOXk86znli2nFoou82m6joZXBWIaD+lAGyoN9uizvUz9Ij6314MTzzZFAlJ1urrE4jHqfFL9QjWI/azYMCLoNAFZnPUv2DPUIHcfnP0j0jBSxtwuWtBqUkVs/PsUXVHpSqtDOtJbp4pPYPOB9DESijwh1V9+fEy1zh3Iqjt7gjhMtMdOb/cxPvDg==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1700815281;
c=relaxed/relaxed; bh=6B9/peF+RaSb2rSDvWPASp2MbNqFeTmkLgybkk00pGo=;
h=Message-ID:Date:MIME-Version:Subject:From:Content-Type;
b=ggFOqgsbKRReK9YJRqZlaZxYxz/EJ83GZqgAh2jcZ7zYj3VMjGiO/QKmEbfGq1Yfz0oxwhZPFzmF1UxSklPv0JuNg2vknP+tm5q8mSOCMXaCmxCSJmyALPKdn7VnII2juhyg5D5FYzeS5ML15CS1MRmjFnWFNA1LJ4McH3k6dC3+czbj6pgg7/eI93RO26Fh5HqNOX2rmkuCH/FMBxQXvQo+nyUMkVTb20i1GivhCKALhT4t7wDYArzXAQpCYPe/8k/aL5O/YUfuqU0HVom4O5iHEm6eFMezXvZ0MEljJccSR8UC+UQNL2uDscnhjIi1IRrEfcdaJAkEy+U/rkJdtw==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=mI3vijj8;
dkim=pass (2048-bit key;
unprotected) header.d=sec4mail.de header.i=@sec4mail.de header.a=rsa-sha256
header.s=default header.b=fmiYYhXG
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=mI3vijj8;
dkim=pass (2048-bit key;
unprotected) header.d=sec4mail.de header.i=@sec4mail.de header.a=rsa-sha256
header.s=default header.b=fmiYYhXG
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=jpUo1yo4sbnZDiDJRTCcMT+TO2BQQvat7ajlBoK3V0rDNhIpAAO+mCvRBd50wjZTraT2DALlrqeh8B95AW3LUH3PtfPVDK3UHnt8phbzRY5aai6grZup2ZBXpLRJgN6xcezWjj0P4Fk8Z1K8uVCh5INKB53yAOtHmVa/gEjPcfJhGNn2J2Nqcx8JuTBKXbSTlWFBXsXErjvIryogNIr8XyUHk/GrEnv4C6JjZG0Z/ZELEZN4tmiB2FXjPGgphlDT/2HrVuQMmYJMy6IvzF1dLT/aOSx3AEu7RaoyAPpTUOpRuYasDH9u9C+dNDYYgwyXiJsYh9KQznSgJHjzGxBbAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=6B9/peF+RaSb2rSDvWPASp2MbNqFeTmkLgybkk00pGo=;
b=Z11NZA+t4N82AmokHlhW8DSU2rW2B/RZaO32d1Wo/FxUJwRmxe4LRmIhddZaKGu64qtAFYDb+p013WCSWl2h4YM9Le6/LUnMWL2OvhT2MZ/SibbXItmOFmYOkd51Q5+ajTAifID24QZCT9dNKz/gsuh4LEH9ApJn3whnO4/gl7QOvvKyb+rs30xhm5Qbwf4ztxkWBG+kKeCv40XNc0I0nwMOvxvziDENtZEc3dZl9ZWraRylh+hJ4xmBt9Ga/htkrfOphydhLOWDfn1cwq36spdRfDibHrNz4ayX0Z8aXfKW3+5QSpek5KQCTOlkCPMzgWAJLGHsujj+uH6xZs1znQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
31.220.85.254) smtp.rcpttodomain=mit.edu smtp.mailfrom=sec4mail.de;
dmarc=bestguesspass action=none header.from=sec4mail.de; dkim=pass (signature
was verified) header.d=sec4mail.de; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=6B9/peF+RaSb2rSDvWPASp2MbNqFeTmkLgybkk00pGo=;
b=mI3vijj8LzThzl9V2lGIzIYPGO2VXxRK4F/w7mK6SrylBfJNXrcjN3QJhCCna0dcsPXRBWA/y4kBNIdRA6x2HSB3SvjtVbajopFDsrHL4ui+VtWe4qyJA3Cxl3cD8aQEnt6DF7eXnwFWn3r9xGbCJLq2GcQrpSLzY8tVNM/QPJs=
Authentication-Results: spf=pass (sender IP is 31.220.85.254)
smtp.mailfrom=sec4mail.de; dkim=pass (signature was verified)
header.d=sec4mail.de; dmarc=bestguesspass action=none header.from=sec4mail.de;
Received-SPF: Pass (protection.outlook.com: domain of sec4mail.de designates
31.220.85.254 as permitted sender) receiver=protection.outlook.com;
client-ip=31.220.85.254; helo=vmd109154.contaboserver.net; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sec4mail.de;
s=default; t=1700815270;
bh=7ZN/OHX2T57aPh0j/uLDGNpleUmoVap45P9HEqM0FGs=;
h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
b=fmiYYhXGeC9D6qiydLiJGCC8rwZAUvQCe4xoJBW42aiRIe00y4a8eV3afjyN0JPXq
7rynx3MDeV5UlSosTzlVkYsHU4dyyQdomzhDdN6OpIXdu2647zQ0jHFF0XoH5HCL46
IkMaM6yAuIKQB01evLu8+0symKQpIoIu+6jDnhdadILdm3XxW/nDz92yscPz/aJJRY
dNfwN+KUUTdBA3XsWCvsoSUBY1Pc7n8MELWkB1EeN6osY4WZWm5cAdEqVU6YJ6keJc
hvphUVwgNv3tFsm3YHWGNPJaWj8dnxZKAFyGNMy2lsw5Cka1gYz2G+n5wVZYmR2g34
0HOxX4B9sRYRw==
Content-Language: en-US
In-Reply-To: <202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000E9D9:EE_|LV2PR01MB7789:EE_
X-MS-Office365-Filtering-Correlation-Id: f0bfa1d8-dff2-4e0a-63b3-08dbecc91cac
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 4RTFS649qyWlzridLHd00VmcSDYIHuc+QK7mxDqehk/fnndUf0runawykVK1GYfU8Q6nVFUGD/1XzY2DLqED0vUM2DRRBAYkKrqDYbjnQlepdKGM83fFCG2zt/eHx+j1/e2PHghzKGh3+yuqEW990Nsi4PMxW3o11PJDR7NyOKhqQkJpuIVEtMhkHfD/5XtJL7rOheh1jmsvD8LZwa1xMGwz85WwcndTXebOSeX4MxO3HYB/HyjtFqMHYe4tpzi+ACITFCIzKv4xSkae6QNO1GlQ8tBM30eW93trjSzI5V/jNhBok1KO3EMVBmWJdloI8+bQS3PhazcY9hLo9Dar9MO86P2isqBHFmFTSMtQvTvunyqA5xi0Xdu9Dp7BCzK5T0T5N2qPo+XpIDdb+8ngHc5WJ9vsJacL3WY5kfkHHwxyD9+wIRzPmXvr7PGCojbZBikL0AHQTdtDciUm53UIpfVmdmI/+NbmWz+jInwTpd4VvUZ/CsEhfLKsUCUq/MjzBGisA2s6Wuw2MYOr8B/N6DjSFYbUo3mCW0aOCXEN9PU4HMQY5zaRXY2b5V9DjqvY5/6XxartPprMf+QjSNJBKwV0fVfCugS0N+NP9dzPLzF1I0iSA/n7CUdVmNUnY+KnF8z5KAU/c3q4sXbPs8YenqZsOVWE9GYkpv89hBji4p2oWa4W8UnyajVOsxRle4m1spTpvFtx4BnV0gOnyBI6HA==
X-Forefront-Antispam-Report: CIP:31.220.85.254; CTRY:DE; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:vmd109154.contaboserver.net;
PTR:vmd109154.contaboserver.net; CAT:NONE;
SFS:(13230031)(4636009)(396003)(346002)(136003)(376002)(39860400002)(64100799003)(48200799006)(61400799012)(451199024)(336012)(26005)(6266002)(956004)(2616005)(3480700007)(53546011)(83380400001)(6862004)(4326008)(8676002)(2906002)(5660300002)(786003)(498600001)(316002)(68406010)(6966003)(36756003)(70586007)(86362001)(31696002)(7596003)(7636003)(356005)(31686004)(43740500002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Nov 2023 08:41:11.3573 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f0bfa1d8-dff2-4e0a-63b3-08dbecc91cac
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000E9D9.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR01MB7789
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <414fe2a9-56ad-4401-b72a-4c002405e56c@sec4mail.de>
X-Mailman-Original-References: <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de>
<ae76ed5c-1399-401e-988c-ed2dbdfff6e7@mit.edu>
<81bc4460-b88a-4dfe-b538-e22805a086ea@sec4mail.de>
<202311191733.3AJHXASl018607@hedwig.cmf.nrl.navy.mil>
 by: Goetz Golla - Fri, 24 Nov 2023 08:41 UTC

On 11/19/23 18:33, Ken Hornstein wrote:
> However, I believe Yubico provides a PKCS#11 module for Yubikeys; have
> you tried that? The OpenSC people usually do a good job in terms of
> supporting a wide variety of cards but depending on how old the particular
> version of OpenSC you are using is you may be running into a compatibility
> issue.
>
> --Ken

Indeed the module provided by Yubico solved the issue. It is called
ykcs11 and is readily available in the linux package managers.

E.g. using

 kinit -X X509_user_identity='PKCS11:libykcs11.so'

instead of

 kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so'

BUT with ykcs11 I got the following message in the trace

[14174] 1700562344.750583: PKINIT error: There are 3 certs, but there
must be exactly one.
[14174] 1700562344.750584: PKINIT client has no configured identity;
giving up
[14174] 1700562344.750585: Preauth module pkinit (16) (real) returned:
22/Invalid argument

This is hard to understand because there is only one certificate on the
Yubikey.

I solved this with the following line in /etc/krb5.conf

 pkinit_cert_match = &&<SUBJECT>UID=.*CN=.*$<ISSUER>CN=YUBIKEY-CA${code}

The line matches our certificate, so there is only one left and kinit is
working now with ECC certificates.

But I am wondering if using pkinit_cert_match without really
understanding why I need it and what the other two certificates are is
such a good idea ?

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor