Will Fiveash wrote: > On Tue, Oct 27, 2009 at 04:47:00PM -0500, Will Fiveash wrote: >> On Thu, Oct 22, 2009 at 05:40:47PM +0100, Darren Moffat wrote: >>> The concept seems reasonable but what will the prompts look like ? >> I've been doing some testing and I have a question in regards to the >> pkinit preauth plugin, libpkcs11 and the resulting prompting behavior. >> What I'm seeing is if the system is configured to try PKINIT in addition >> to password timestamp, a user will be prompted for a PIN like so: >> >> Sun Metaslot PIN: >> >> regardless of whether the user has a cert/key token in their PKCS11 >> objectstore or not. This happens with both kinit and pam_krb5. This >> doesn't seem reasonable to prompt a user for a PIN in the case a token >> containing a cert/key does not exist. Thoughts? > > More info: it appears that in pkinit_open_session() there is code > calling C_Initialize, C_GetSlotList, C_OpenSession, C_GetTokenInfo. > C_GetTokenInfo appears to set CKF_LOGIN_REQUIRED in the output object's > flags. This in turn causes the PIN prompt for a user that does not have > any cert token object in their softtoken objstore. I also see this code > in lib/pkcs11/pkcs11_softtoken/common/softSlotToken.c:C_GetTokenInfo() > > pInfo->flags = SOFT_TOKEN_FLAGS | token_flag; > > where SOFT_TOKEN_FLAGS is: > > #define SOFT_TOKEN_FLAGS CKF_RNG|\ > CKF_USER_PIN_INITIALIZED|\ > CKF_LOGIN_REQUIRED|\ > ^^^^^^^^^^^^^^^^^^ > CKF_RESTORE_KEY_NOT_NEEDED|\ > CKF_DUAL_CRYPTO_OPERATIONS|\ > CKF_TOKEN_INITIALIZED > > Is this a Solaris PKCS11 bug? Note, the user did a pktool setpin > earlier.
It could be a bug, it sounds similar to 6721247 which I logged. What that flag means is you need to login to do some operations. Which is in fact true, you can't operate on private token objects unless you are logged in. This isn't something this case should try and fix though because there could be a big knock on impact from changing that. I'm going to discuss this with some others, including on the cryptoki alias. -- Darren J Moffat
