Douglas E. Engert wrote:
> This sounds like an interesting change. But could it be reworked to
> allow the use of either the slot_num or the slot_description?
> (But not both.) This would then avoid all the #ifdef SUN_SOLARIS
> and make the mod more general, and easier to test.
>
This sounds like a good suggestion. In fact, I was also thinking about
this arrangement prior to submit this patch.
I will go ahead to make the enhancement and resummit the patch.
Thanks,
Huie-Ying
> Huie-Ying Lee wrote:
>> Hi,
>>
>> To port the pam_pkcs11 module to OpenSolaris, we made a change in the
>> slot/token selection scheme to resolve an incompatibility issue
>> between the OpenSC/pam_pkcs11 module and Solaris Cryptographic
>> Framework library (a PKCS#11 implementation). We would like to
>> share with you why the changes are necessary and hopefully they will
>> be adopted by the community.
>>
>> ======================================
>> Problem
>> ======================================
>> Currently, the pam_pkcs11 module uses slot_num for the slot/token
>> selection. However, this is not safe because there is no guaranteed
>> ordering of slots returned from the PKCS#11 C_GetSlotList() function,
>> according to the RSA PKCS#11 specification.
>>
>> On Solaris OS, the libpkcs11 library uses plug-ins to provide the
>> slots. An administrator can install or uninstall a plug-in by using
>> a utility command called "cryptoadm" on Solaris. Therefore, a
>> particular slot may be associated with different slot numbers on
>> different systems or even on the same system on different runs.
>>
>> ======================================
>> Solution
>> ======================================
>> To address the above issue, our solution is to replace the
>> "slot_num" entry with a "slot_description" entry in the
>> "pam_pkcs11.conf" configuration file for the slot/token selection as
>> illustrated below.
>>
>> --- pam_pkcs11.conf ----
>>
>> pkcs11_module default {
>>
>> module = /usr/lib/libpkcs11.so;
>> description = "Solaris PKCS#11 Cryptographic Framework library";
>> #
>> # Which slot to use. The slot is specified by the slot description.
>> # For example, slot_description = "Sun Crypto Softtoken".
>> #
>> # An administrator can use the "cryotoadm list -v" command to find
>> # all the available slots and their slot descriptions. For more
>> # information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages.
>> #
>> # The default value is "none" which means to use the first slot with
>> # an available token.
>> #
>> slot_description = "none"
>>
>> ...
>>
>> }
>>
>> The slot_description field will be used to specify the slot to be
>> used. Its value should be the slot label for the slot, which is
>> basically same as the slotDescription string in the CK_SLOT_INFO
>> structure returned from the C_GetSlotInfo()function.
>>
>> In the original slot_num design, when slot_num is 0, it means to use
>> the first slot with an available token. To provide a similar
>> functionality, an administrator can specify slot_description to be
>> "none", which also means to use the first slot with an available token.
>>
>> ======================
>> Souce changes
>> ======================
>> To implement the solution, we added and modified several functions
>> to the pam_pkcs11 source. We also successfully tested on Solaris OS.
>> Attached is the patch file for the source changes. Please let me
>> know if you have any questions or comments.
>>
>> Thanks,
>> Huie-Ying
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> opensc-devel mailing list
>> [email protected]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
