[kerberos-discuss] Problems using opensc-pkcs11.so as a cryptoadm provider with Solaris libpkcs11

Mon, 06 Oct 2008 15:37:57 -0500 

[As suggested by Will, this is a repost,
with the addition of crypto-discuss at opensolaris.org]

Sun appears to be headed down the path of using /usr/lib/libpkcs11.so
with Kerberos PKINIT as well as pam_pkcs11.so, and it was said
opensc-pkcs11.so works with libpkcs11. So I wanted to try this for
myself.

I obtained a elfsign certificate from Sun and signed the opensc-pkcs11.so
and installed it using cryptoadm install provider=..../opensc-pkcs11.so

Using the opensc-0.11.6  and pcscd I have run into two related problems,
and a problem where sshd (and dtlogin) will not run if the opensc-pkcs11.so
is listed as a provider.

Sun appears to expect C_GetMechaismList to return a list if there is a slot
present, even if there is no token present. See the attached cryptoadmin.txt

I think this is a bug in Sun's code. PKCS#11 2.01 and 2.20 say:
   "C_GetMechanismList is used to obtain a list of mechanism
    types supported by a token."

If there is no token they should not ask for a list of mechanisms. Note
that crytpoadm shows that there is no token present in the slot.

The above test was run with the following patch installed.

OpenSC will show a slot is present if there is a reader, but
will segfault if C_GetMechanismList is called for an unused
virtual slot. I submitted to OpenSC  ticket number #181

the attached slot.null.txt is a gdb trace of the Sun cryptoadm
calling C_GetMechanisnList for the first of the virtual slots.
There is a card in the reader using the first 4 slots.

Note that sc_pkcs11_get_mechanism_list is called with p11card=0x0.
Ticket #181 gets around this.


I have not tracked down the sshd and login problems yet.
I am assuming that is related to no mechanism list.

Note that sshd should not be using the console user's
smartcard for any crypto!


-- 

   Douglas E. Engert  <DEEngert at anl.gov>
   Argonne National Laboratory
   9700 South Cass Avenue
   Argonne, Illinois  60439
   (630) 252-5444

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: slot.null.txt
URL: 
<http://mail.opensolaris.org/pipermail/kerberos-discuss/attachments/20081006/b8858921/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: crytpoadm.txt
URL: 
<http://mail.opensolaris.org/pipermail/kerberos-discuss/attachments/20081006/b8858921/attachment-0001.txt>

Reply via email to