Re: [Fed-Talk] Apple tokendPKCS11.so - Another fail?
Re: [Fed-Talk] Apple tokendPKCS11.so - Another fail?
- Subject: Re: [Fed-Talk] Apple tokendPKCS11.so - Another fail?
- From: "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]" <email@hidden>
- Date: Thu, 3 Sep 2009 14:48:30 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Apple tokendPKCS11.so - Another fail?
On Sep 3, 2009, at 3:31 PM, Miller, Timothy J. wrote: On 9/3/09 1:01 PM, "Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.]" < email@hidden> wrote: The PKCS#11 Shim in Snow Leopard works with our PIV Cards / Authentication
Certificates with 2048 key size:
It also works with Safari after a proper identity preference is set.
Safari uses securityd directly, not the PKCS#11 module. I know Safari works (as much as it did in Leopard, but no better) and that's not a problem for me. However, I can't get FF to work with the new module and my card.
I'm aware of how Safari works, I was confused at your comment "(since Safari is still effectively broken)", and was thinking that SSL in Safari was failing for you as well; I was just commenting that that works. I realize now its probably related to a different issue the SSL failure your commenting on about Safari; I wasn't tracking what that was. I might be more impressed that SSL with the PIV card work in Safari for Snow Leopard since it had not worked for us, with the 2048 key sizes in Leopard.
Not sure why it isn't working for your CAC. I would test the other
functionality of the CAC.tokend [ desktop login / filevault user creation with
tokenadmin] and verify with other web sites and other CAC cards.
I'm actually getting SSL_ERROR_SIGN_HASHES_FAILURE. Running FF with NSS_DEBUG_PKCS11_MODULE set gives me this: -1335791616[1a63a0e0]: C_Sign -1335791616[1a63a0e0]: hSession = 0x2 -1335791616[1a63a0e0]: pData = 0xb061679c -1335791616[1a63a0e0]: ulDataLen = 36 -1335791616[1a63a0e0]: pSignature = 0x1b8c9240 -1335791616[1a63a0e0]: pulSignatureLen = 0xb06166d8 -1335791616[1a63a0e0]: *pulSignatureLen = 0x80 -1335791616[1a63a0e0]: rv = CKR_FUNCTION_FAILED
I see a visit to Radar / Bug Reporter in your future. This happens when I use both the CAC and PIV tokends (my CAC is a CAC/PIV-II with RSA1024 PIV certs on it.
-- Tim
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden