John Zolnowsky x69422/408-404-5064 wrote: >> Date: Sat, 28 Mar 2009 04:02:08 +0100 >> From: Andreas Portele <ultrasparc at rechnerpool.de> >> 28.03.2009 kl. 03:41 skrev John Zolnowsky x69422/408-404-5064: >>>> Date: Sat, 28 Mar 2009 03:01:07 +0100 >>>> From: Andreas Portele <ultrasparc at rechnerpool.de> >>>> >>>> Hi! >>>> >>>> I have a wired problem loading a signed kcf crypto provider. I was >>>> already able to load it back in time, but it stopped working for some >>>> unknown reason. >>>> >>>> elfsign says every thing is ok: >>>> >>>> -----8<-----8<------8<--- >>>> >>>> # elfsign verify padlock >>>> elfsign: verification of padlock passed. >>> What does "elfsign verify -v padlock" yield? >>> What does "svcs cryptosvc" say? >>> Are there any syslog/console messages from kcfd? >> #elfsign verify -v padlock >> elfsign: verification of padlock passed. >> format: rsa_sha1. >> signer: C=US, CN=portele. > ^^^^^^^^^^^^^^^^ > The padlock crypto module was not signed with a cryptographic framework > key/certificate pair. For example: > # elfsign verify -v /kernel/crypto/aes > elfsign: verification of /kernel/crypto/aes passed. > format: rsa_sha1. > signer: O=Sun Microsystems Inc, OU=Solaris Cryptographic Framework, CN=SunOS > 5.10. > signed on: Wed Dec 10 22:59:42 2008. > >> signed on: Sat Mar 28 03:32:12 2009. >> >> --------------------------------------- >> >> # svcs cryptosvc >> STATE STIME FMRI >> online Mar_26 svc:/system/cryptosvc:default >> >> ------------------------------ >> >> there are no kcfd messages. >> >> I think module signing never worked here. The problem arouse after >> adding an cipher_ops to the crypto_ops struct (just back checked). But >> as long as there are no cipher_ops or similar ops in crypto_ops, there >> will be done no signing verification.. so this never hit me until now. > > Modules can't register cryptographic operations unless the module > has been signed with a cryptographic framework certificate key/pair. > See the elfsign(1) manpage for information on requesting such a pair. > > -JZ
Andreas Portele has already been issued a certificate to sign modules, so it should be valid Tony
