> Date: Sat, 28 Mar 2009 04:02:08 +0100
> From: Andreas Portele <ultrasparc at rechnerpool.de>
> 28.03.2009 kl. 03:41 skrev John Zolnowsky x69422/408-404-5064:
> >> Date: Sat, 28 Mar 2009 03:01:07 +0100
> >> From: Andreas Portele <ultrasparc at rechnerpool.de>
> >>
> >> Hi!
> >>
> >> I have a wired problem loading a signed kcf crypto provider. I was
> >> already able to load it back in time, but it stopped working for some
> >> unknown reason.
> >>
> >> elfsign says every thing is ok:
> >>
> >> -----8<-----8<------8<---
> >>
> >> # elfsign verify padlock
> >> elfsign: verification of padlock passed.
> >
> > What does "elfsign verify -v padlock" yield?
> > What does "svcs cryptosvc" say?
> > Are there any syslog/console messages from kcfd?
>
> #elfsign verify -v padlock
> elfsign: verification of padlock passed.
> format: rsa_sha1.
> signer: C=US, CN=portele.
^^^^^^^^^^^^^^^^
The padlock crypto module was not signed with a cryptographic framework
key/certificate pair. For example:
# elfsign verify -v /kernel/crypto/aes
elfsign: verification of /kernel/crypto/aes passed.
format: rsa_sha1.
signer: O=Sun Microsystems Inc, OU=Solaris Cryptographic Framework, CN=SunOS
5.10.
signed on: Wed Dec 10 22:59:42 2008.
> signed on: Sat Mar 28 03:32:12 2009.
>
> ---------------------------------------
>
> # svcs cryptosvc
> STATE STIME FMRI
> online Mar_26 svc:/system/cryptosvc:default
>
> ------------------------------
>
> there are no kcfd messages.
>
> I think module signing never worked here. The problem arouse after
> adding an cipher_ops to the crypto_ops struct (just back checked). But
> as long as there are no cipher_ops or similar ops in crypto_ops, there
> will be done no signing verification.. so this never hit me until now.
Modules can't register cryptographic operations unless the module
has been signed with a cryptographic framework certificate key/pair.
See the elfsign(1) manpage for information on requesting such a pair.
-JZ
