Sun appears to be headed down the path of using /usr/lib/libpkcs11.so with Kerberos PKINIT as well as pam_pkcs11.so, and it was said opensc-pkcs11.so works with libpkcs11. So I wanted to try this for myself.
I obtained a elfsign certificate from Sun and signed the opensc-pkcs11.so and installed it using cryptoadm install provider=..../opensc-pkcs11.so Using the opensc-0.11.6 and pcscd I have run into two related problems, and a problem where sshd (and dtlogin) will not run if the opensc-pkcs11.so is listed as a provider. Sun appears to expect C_GetMechaismList to return a list if there is a slot present, even if there is no token present. See the attached cryptoadmin.txt I think this is a bug in Sun's code. PKCS#11 2.01 and 2.20 say: "C_GetMechanismList is used to obtain a list of mechanism types supported by a token." If there is no token they should not ask for a list of mechanisms. Note that crytpoadm shows that there is no token present in the slot. The above test was run with the following patch installed. OpenSC will show a slot is present if there is a reader, but will segfault if C_GetMechanismList is called for an unused virtual slot. I submitted to OpenSC ticket number #181 the attached slot.null.txt is a gdb trace of the Sun cryptoadm calling C_GetMechanisnList for the first of the virtual slots. There is a card in the reader using the first 4 slots. Note that sc_pkcs11_get_mechanism_list is called with p11card=0x0. Ticket #181 gets around this. I have not tracked down the sshd and login problems yet. I am assuming that is related to no mechanism list. Note that sshd should not be using the console user's smartcard for any crypto! -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: slot.null.txt URL: <http://mail.opensolaris.org/pipermail/kerberos-discuss/attachments/20081006/8fd33c35/attachment.txt> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: crytpoadm.txt URL: <http://mail.opensolaris.org/pipermail/kerberos-discuss/attachments/20081006/8fd33c35/attachment-0001.txt>
