On Wed, 1 Jul 2009, Valerie Bubb Fenwick wrote: > On Wed, 1 Jul 2009, Krishna Yenduri wrote: > >> Valerie Bubb Fenwick wrote: >>> On Tue, 30 Jun 2009, Krishna Yenduri wrote: >>> >>> ... >>>>> >>>>>> >>>>>> >>>>>> http://cr.opensolaris.org/~bubbva/fips-work.5/ >>>>> >>>>> KY-1 elfsign(1) command >>>>> >>>>> ... >>>> >>>> The specific case I had in mind is when elfsign is used with a SCA6000. >>> >>> Hi Krishna - >>> >>> I have access to a test machine with SCA 6000 on it that I can check this >>> on (unfortunately, running the crypto tests unconfigured that, so I'll >>> have >>> to see if I can get help to get it working again), but looking at the >>> code, specifically in libelfsign's elfcertlib_settoken(), I'm not sure >>> if we've tested this specific situation since we KMF'ized libelfsign. >>> >>> This may be a problem. I'll let you know. >> >> I am now fairly certain that this will be a problem since elfsign needs to >> call libpkcs11/pkcs11_kernel routines to be able to use SCA 6000. > > Once the network was functioning again, I did verify that it was indeed > a problem. While I can't find anyone actually using this flag, it is a good > feature and has been backported to S10, so we shouldn't break it. :) > >> One solution could be to do this symbol interposing >> in kcfd instead of doing it in libelfsign. This should be fine since all >> the >> signature verification is done by kcfd. > > That's not a bad idea. Tony & I had been talking more about making > changes to KMF, but that's another place we could maybe do this. I > will try that as well today.
Actually, I just thought about that more, and it won't work, because elfsign (the command) doesn't go through kcfd. So, making the changes there would require rearhitecting of the elfsign command. Valerie -- Valerie Fenwick, http://blogs.sun.com/bubbva/ @bubbva Solaris Security Technologies, Developer, Sun Microsystems, Inc. 17 Network Circle, Menlo Park, CA, 94025.
