[opensc-devel] Problems using opensc-pkcs11.so as a cryptoadm provider with Solaris libpkcs11

[Douglas E. Engert]

Sun appears to be headed down the path of using /usr/lib/libpkcs11.so
with Kerberos PKINIT as well as pam_pkcs11.so, and it was said
opensc-pkcs11.so works with libpkcs11. So I wanted to try this for
myself.

I obtained a elfsign certificate from Sun and signed the opensc-pkcs11.so
and installed it using cryptoadm install provider=..../opensc-pkcs11.so

Using the opensc-0.11.6  and pcscd I have run into two related problems,
and a problem where sshd (and dtlogin) will not run if the opensc-pkcs11.so
is listed as a provider.

Sun appears to expect C_GetMechaismList to return a list if there is a slot
present, even if there is no token present. See the attached cryptoadmin.txt

I think this is a bug in Sun's code. PKCS#11 2.01 and 2.20 say:
 "C_GetMechanismList is used to obtain a list of mechanism
  types supported by a token."

If there is no token they should not ask for a list of mechanisms. Note
that crytpoadm shows that there is no token present in the slot.

The above test was run with the following patch installed.

OpenSC will show a slot is present if there is a reader, but
will segfault if C_GetMechanismList is called for an unused
virtual slot. I submitted to OpenSC  ticket number #181

the attached slot.null.txt is a gdb trace of the Sun cryptoadm
calling C_GetMechanisnList for the first of the virtual slots.
There is a card in the reader using the first 4 slots.

Note that sc_pkcs11_get_mechanism_list is called with p11card=0x0.
Ticket #181 gets around this.


I have not tracked down the sshd and login problems yet.
I am assuming that is related to no mechanism list.

Note that sshd should not be using the console user's
smartcard for any crypto!


--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

lot #5
Description: Virtual slot                                                    
Manufacturer: OpenSC (www.opensc-project.org) 
PKCS#11 Version: 2.11
Hardware Version: 0.0
Firmware Version: 0.0
Token Present: False
Slot Flags: CKF_REMOVABLE_DEVICE CKF_HW_SLOT 
Token Label: 
Manufacturer ID: 
Model: 
Serial Number: 
Hardware Version: 0.0
Firmware Version: 0.0
UTC Time: 
PIN Length: 0-0
Flags: 


Program received signal SIGSEGV, Segmentation fault.
0xff22cff8 in sc_pkcs11_get_mechanism_list (p11card=0x0, pList=0x0, 
    pulCount=0xffbfde98) at ../../../src/src/pkcs11/mechanism.c:83
83              for (n = 0; n < p11card->nmechanisms; n++) {
(gdb) where
#0  0xff22cff8 in sc_pkcs11_get_mechanism_list (p11card=0x0, pList=0x0, 
    pulCount=0xffbfde98) at ../../../src/src/pkcs11/mechanism.c:83
#1  0xff225fac in C_GetMechanismList (slotID=4, pMechanismList=0x0, 
    pulCount=0xffbfde98) at ../../../src/src/pkcs11/pkcs11-global.c:493
#2  0x00014c58 in list_mechlist_for_lib ()
#3  0x0001379c in ?? ()
#4  0x0001379c in ?? ()


/usr/bin/elfsign verify -e /opt/smartcard/lib/opensc-pkcs11.so
elfsign: verification of /opt/smartcard/lib/opensc-pkcs11.so passed.


rleans-604$ /usr/sbin/cryptoadm list -v

User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
/usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented.

Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so
Number of slots: 1

Slot #1
Description: Sun Crypto Softtoken                                            
Manufacturer: Sun Microsystems, Inc.          
PKCS#11 Version: 2.20
Hardware Version: 0.0
Firmware Version: 0.0
Token Present: True
Slot Flags: CKF_TOKEN_PRESENT 
Token Label: Sun Software PKCS#11 softtoken  
Manufacturer ID: Sun Microsystems, Inc.          
Model: 1.0             
Serial Number:                 
Hardware Version: 0.0
Firmware Version: 0.0
UTC Time:                 
PIN Length: 1-256
Flags: CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED 
CKF_RESTORE_KEY_NOT_NEEDED CKF_DUAL_CRYPTO_OPERATIONS CKF_TOKEN_INITIALIZED 
CKF_USER_PIN_TO_BE_CHANGED 

Provider: /opt/smartcard/lib/opensc-pkcs11.so
Number of slots: 8

Slot #1
Description: Gemplus GemPC Twin 00 00                                        
Manufacturer: OpenSC (www.opensc-project.org) 
PKCS#11 Version: 2.11
Hardware Version: 0.0
Firmware Version: 0.0
Token Present: False
Slot Flags: CKF_REMOVABLE_DEVICE CKF_HW_SLOT 
/opt/smartcard/lib/opensc-pkcs11.so: failed to retrieve the mechanism list.

Kernel software providers:
        des
        aes
        arcfour
        blowfish
        sha1
        sha2
        md5
        rsa
        swrand

Kernel hardware providers:



_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel