On Wed, Oct 28, 2009 at 05:35:49PM -0500, Will Fiveash wrote:
>
> Yep, I was just talking to Nico Williams about this and he convinced me
> that the problem is not that pkcs11_softtoken is setting
> CFK_LOGIN_REQUIRED but rather that the applications like pktool and the
> pkinit preauth plugin are prompting for login if that flag is set
> regardless of whether the softtoken object to be accessed is public or
> not. This seems crude and unnecessary. Note that in the case of the
> pkinit plugin this can cause a prompt for the user's PIN even if there
> are no certs in the user's softtoken.
In regards to pktool I think the problem is that:
list_pk11_objects() calls token_auth_needed() which does:
ckrv = C_GetTokenInfo(slot, &info);
if (ckrv != KMF_OK)
return (KMF_ERR_INTERNAL);
*auth = (info.flags & CKF_LOGIN_REQUIRED);
and later in list_pk11_objects() there is:
if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
if (auth > 0 && (cred.cred == NULL)) {
(void) get_token_password(kstype, token, &cred);
}
I don't think the logic that checks auth for PK_CERT_OBJ and
PK_PUBLIC_OBJ class objects is correct.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
