我想使用store[1] preauth问题与"pkinit"进行身份验证。
但我无法回答kerberos个问题,因为"pkinit"返回的问题列表中没有该问题。仅提出krb5_responder_list_questions()。
如何在preauth问题列表中添加"password"甚至"pkinit"?
答案 0 :(得分:1)
我最后成功了。问题是之前的PKCS11会话在PKINIT进程尝试打开新进程之前没有关闭。
103: C_Initialize
2017-01-12 17:46:43.597
[in] pInitArgs = (nil)
Returned: 401 CKR_CRYPTOKI_ALREADY_INITIALIZED
C_Initialize: cryptoki already initialized
can't open pkcs11 session
104: C_Finalize
2017-01-12 17:46:43.598
Returned: 0 CKR_OK
pkinit_client_prep_questions: no questions to ask
pkinit_client_prep_questions returning 0
pkinit_client_prep_questions: no questions to ask
pkinit_client_prep_questions returning 0
questions_to_answer=password
pkinit_client_process 0x7fffe409f1f0 0x7fffe409f7b0 0x7fffe40a1e70 0x7fffe40a1c20
processing KRB5_PADATA_PK_AS_REQ
pkinit_client_profile 0x7fffe409f1f0 0x7fffe409f7b0 0x7fffe40a1e70 0x7fffe40a2538
pkinit_identity_prompt: 0x7fffe409f1f0 0x7fffe40a23f0 0x7fffe40a2290
如果所有先前打开的会话都已关闭并且KDC配置为要求客户端进行PKINIT预身份验证,我们应该得到以下结果:
111: C_CloseSession
2017-01-12 18:05:04.655
[in] hSession = 0xbabfcb7f
Returned: 0 CKR_OK
112: C_Finalize
2017-01-12 18:05:04.655
Returned: 0 CKR_OK
pkinit_client_prep_questions: asking question '{"PKCS11:module_name=/usr/local/lib/pkcs11-spy.so:slotid=1:token=CCC":0}'
pkinit_client_prep_questions returning 0
pkinit_client_prep_questions: asking question '{"PKCS11:module_name=/usr/local/lib/pkcs11-spy.so:slotid=1:token=CCC":0}'
pkinit_client_prep_questions returning 0
questions_to_answer=pkinit
pkinit_client_process 0x7fffe4096090 0x7fffe4066cc0 0x7fffe4089760 0x7fffe40897f0
processing KRB5_PADATA_PK_AS_REQ
pkinit_client_profile 0x7fffe4096090 0x7fffe4066cc0 0x7fffe4089760 0x7fffe4089f38
pkinit_identity_prompt: 0x7fffe4096090 0x7fffe4089df0 0x7fffe4089c70