Will Fiveash wrote: > On Tue, Nov 10, 2009 at 12:27:45PM -0800, Anthony Scarpino wrote: >> Will Fiveash wrote: >>> I'm confused in regards to the following behavior of pkcs11_softtoken >>> and it's object store on a OpenSolaris system (build snv_125): >>> If I am logged in to a zone session and I run: >>> exec /usr/bin/login >>> the pkcs11 code is able to find the cert and private key objects in the >>> default user's pkcs11_softtoken object store >>> ($HOME/.sunw/pkcs11_softtoken/...). However if I try to login to that >>> same zone using zlogin -C to do console login, the pkcs11 code appears >>> to try to access "/objstore_info". >>> 10954/1: xstat(2, "/objstore_info", 0x08045B00) Err#2 >>> ENOENT >>> This confuses me. Is this expected behavior? >>> The truss of the ttymon session is here: >>> /net/alton.central.sun.com/export/public/ttymon-zlogin-consol.truss >> I'm not sure what's going on.. Looking at get_keystore_path(), it appears >> to think there is an alternate keystore environment variable set looking at >> the functions were called in the truss; even though, the getenv() returned >> 0. Did you have SOFTTOKEN_DIR set when you ran the zlogin command? > > No, SOFTTOKEN_DIR is not set in the env. of the shell session in which > I'm running zlogin -C nor is it set in the env. of the ttymon running in > the zone that is exec'ing login in the zone. > >> Darren has a code review out that was going to change a lot of this code, >> so >> this problem maybe disappearing anyway. > > I'm using a version of his modified pkcs11_softtoken code in the zone > (not in the global zone): > > -rwxr-xr-x 1 root bin 655604 Oct 29 14:30 pkcs11_softtoken.so.1 >
I'm certain you're seeing Darren's library either by the truss showing you want is in the zone, or you do have a copy in the global zone.. Looking at your truss there are two calls to getenv.. Darren's code has two calls.. The ON version only has one call.. In Darren's code the library can exit without a snprintf call if both getenv have a NULL value, in ON there must be a snprintf call.. Below is the relevant part of your truss: 10954/1 at 1: -> pkcs11_softtoken:get_keystore_path() 10954/1 at 1: -> libc:getenv(0xfea8227c) 10954/1 at 1: <- libc:getenv() = 0 10954/1 at 1: -> libc:getenv(0xfea8226c, 0x8045820, 0x3, 0xfea53fa1) 10954/1 at 1: <- libc:getenv() = 0 10954/1 at 1: -> libc:bzero(0xfeab7270, 0x400, 0x3, 0xfea53fa1) 10954/1 at 1: <- libc:bzero() = 0xfeab7270 10954/1 at 1: <- pkcs11_softtoken:get_keystore_path() = 0xfeab7270 Unless there was a mixup and the global zone has Darren's library.. Darren's code makes more sense for your result than what is in snv.. snv would have a snprintf call in get_keystore_path() for sure, but the truss doesn't, which is in line with Darren's.. Here is the relevant file in his code review: http://cr.opensolaris.org/~darrenm/onnv-bugfixes/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c.wdiff.html Here is ON's: http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c#176 Tony
