Support PKCS11 EC client certs in PKINIT Move the digest computation and DigestInfo encoding from cms_signeddata_create() to pkinit_sign_data_pkcs11(), and conditionalize the DigestInfo encoding on the key type. Use CKM_ECDSA instead of CKM_RSA_PKCS for EC keys, and convert the resulting signature from the PKS11 encoding to the ASN.1 encoding required by CMS. Regenerate the test certificates with an additional EC client cert. Add test cases for EC client certs with and without PKCS11. https://github.com/krb5/krb5/commit/f745c9a9bd6c0c73b944182173f1ac305d03dc3a Author: Greg Hudson Commit: f745c9a9bd6c0c73b944182173f1ac305d03dc3a Branch: master src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 319 +++++++++++++-------- src/tests/pkinit-certs/ca.pem | 32 +-- src/tests/pkinit-certs/eckey.pem | 5 + src/tests/pkinit-certs/ecuser.pem | 24 ++ src/tests/pkinit-certs/generic.p12 | Bin 2469 -> 2560 bytes src/tests/pkinit-certs/generic.pem | 38 +-- src/tests/pkinit-certs/kdc.pem | 32 +-- src/tests/pkinit-certs/make-certs.sh | 11 +- src/tests/pkinit-certs/privkey-enc.pem | 60 ++-- src/tests/pkinit-certs/privkey.pem | 55 ++-- src/tests/pkinit-certs/user-enc.p12 | Bin 2829 -> 2920 bytes src/tests/pkinit-certs/user-upn.p12 | Bin 2821 -> 2912 bytes src/tests/pkinit-certs/user-upn.pem | 32 +-- src/tests/pkinit-certs/user-upn2.p12 | Bin 2805 -> 2896 bytes src/tests/pkinit-certs/user-upn2.pem | 34 +-- src/tests/pkinit-certs/user-upn3.p12 | Bin 2821 -> 2912 bytes src/tests/pkinit-certs/user-upn3.pem | 32 +-- src/tests/pkinit-certs/user.p12 | Bin 2829 -> 2920 bytes src/tests/pkinit-certs/user.pem | 30 +- src/tests/t_pkinit.py | 20 ++ 20 files changed, 437 insertions(+), 287 deletions(-)