Hi,
this is a known bug in Solaris 10. See CR 6759852 for details (the CR
was closed though as Nevada is not affected).
You can use the workaround from the quoted CR to fix the issue here.
Bye,
Wolfgang.
chunhuan.s...@sun.com wrote:
Hi experts,
I would like consult you some issue regarding pkcs11_softtoken.so
on global zone and non-global zone on Solaris 10.
There are different output of cryptoadm between on global zone and
on non-global zone.
For example, there was the following output on non-global zone
and global zone.
yukinoko# uname -a
SunOS yukinoko 5.10 Generic_118833-36 sun4u sparc SUNW,A70
yukinoko# zlogin zone1
[Connected to zone 'zone1' pts/5]
Last login: Tue Mar 17 21:19:53 on pts/5
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
#
# cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so ===!!!
Kernel software providers:
swrand
rsa
md5
sha2
sha1
blowfish
arcfour
aes
des
Kernel hardware providers:
# ^D
[Connection to zone 'zone1' pts/5 closed]
yukinoko# cryptoadm list
User-level providers:
provider: /usr/lib/security/$ISA/pkcs11_kernel.so
provider: /usr/lib/security/$ISA/pkcs11_softtoken.so ===!!!
Kernel software providers:
des
aes
arcfour
blowfish
sha1
sha2
md5
rsa
swrand
Kernel hardware providers:
# uname -a
SunOS m5000-0 5.10 Generic_137137-09 sun4u sparc SUNW,SPARC-Enterprise
# cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken_extra.so ===!!!
Kernel software providers:
des
aes256
arcfour2048
blowfish448
sha1
sha2
md5
rsa
swrand
Kernel hardware providers:
# zlogin testzone
[Connected to zone 'testzone' pts/2]
Last login: Thu Feb 19 18:51:47 on console
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
#
# cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so ===!!!
Kernel software providers:
swrand
rsa
md5
sha2
sha1
blowfish448
arcfour2048
aes256
des
Kernel hardware providers:
The cu said they installed patch 127127-11 but did not
installed 139498-04
Document ID:127127-11 (applied)
Title: SunOS 5.10: kernel patch
Document ID:139498-04 (didn't apply)
Title: SunOS 5.10: libpkcs11.so patch
The cu would like know
1) On non-global zone, why pkcs11_softtoken.so is used as default ?
Is it due to design ?
2) On non-global zone, if change pkcs11_softtoken.so to
pkcs11_softtoken_extra.so, is there any impact for the system ?
3) On non-global zone, if want to use 128-bit keylength, the following
method is correct or not ?
# cryptoadm install
provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so
# cryptoadm uninstall
provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
There is the following man page info of pkcs11_softtoken
=== man pkcs11_softtoken ===
The pkcs11_softtoken.so object contains only implementations
of symmetric key algorithms of up to 128-bit keylength.
pkcs11_softtoken_extra.so, if available, might contain
longer key lengths.
=== man pkcs11_softtoken ===
Thank you very much.
Best Regards
chunhuan
___
zones-discuss mailing list
zones-discuss@opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org