This sounds like an interesting change. But could it be reworked to
allow the use of either the slot_num or the slot_description?
(But not both.) This would then avoid all the #ifdef SUN_SOLARIS
and make the mod more general, and easier to test.
Huie-Ying Lee wrote:
> Hi,
>
> To port the pam_pkcs11 module to OpenSolaris, we made a change in the
> slot/token selection scheme to resolve an incompatibility issue between
> the OpenSC/pam_pkcs11 module and Solaris Cryptographic Framework library
> (a PKCS#11 implementation). We would like to share with you why the
> changes are necessary and hopefully they will be adopted by the community.
>
> ======================================
> Problem
> ======================================
> Currently, the pam_pkcs11 module uses slot_num for the slot/token
> selection. However, this is not safe because there is no guaranteed
> ordering of slots returned from the PKCS#11 C_GetSlotList() function,
> according to the RSA PKCS#11 specification.
>
> On Solaris OS, the libpkcs11 library uses plug-ins to provide the
> slots. An administrator can install or uninstall a plug-in by using a
> utility command called "cryptoadm" on Solaris. Therefore, a particular
> slot may be associated with different slot numbers on different systems
> or even on the same system on different runs.
>
> ======================================
> Solution
> ======================================
> To address the above issue, our solution is to replace the "slot_num"
> entry with a "slot_description" entry in the "pam_pkcs11.conf"
> configuration file for the slot/token selection as illustrated below.
>
> --- pam_pkcs11.conf ----
>
> pkcs11_module default {
>
> module = /usr/lib/libpkcs11.so;
> description = "Solaris PKCS#11 Cryptographic Framework library";
> #
> # Which slot to use. The slot is specified by the slot description.
> # For example, slot_description = "Sun Crypto Softtoken".
> #
> # An administrator can use the "cryotoadm list -v" command to find
> # all the available slots and their slot descriptions. For more #
> information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages.
> #
> # The default value is "none" which means to use the first slot with
> # an available token.
> #
> slot_description = "none"
>
> ...
>
> }
>
> The slot_description field will be used to specify the slot to be
> used. Its value should be the slot label for the slot, which is
> basically same as the slotDescription string in the CK_SLOT_INFO
> structure returned from the C_GetSlotInfo()function.
>
> In the original slot_num design, when slot_num is 0, it means to use the
> first slot with an available token. To provide a similar
> functionality, an administrator can specify slot_description to be
> "none", which also means to use the first slot with an available token.
>
> ======================
> Souce changes
> ======================
> To implement the solution, we added and modified several functions to
> the pam_pkcs11 source. We also successfully tested on Solaris OS.
> Attached is the patch file for the source changes. Please let me know
> if you have any questions or comments.
>
> Thanks,
> Huie-Ying
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> opensc-devel mailing list
> [email protected]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
