pkinit updates
Douglas E. Engert
deengert at anl.gov
Tue Dec 12 14:48:47 EST 2006
Jim Rees wrote:
> I think the PKCS11 environment variable should still work.
Right, I found that. But I would expect the environment variable to
be droped in favor of the -X parameters.
> But you don't
> need to specify the slot any more, unless you have more than one token.
There is not nessesarily 1-1 corespondence between readers and slots.
PKCS#11 says: "It is possible that multiple slots may share the same reader."
OpenSC can allocate multiple slots to the same card, if the security
requirements are different, i.e. you could have a session with slot 0
using a pin, but an session with slot 1 without a pin. It is not
clear if OpenSC has gone too far in doing this, but they did it.
There are OpenSC parameters num_slots = to assign slots to a card,
and hide_empty_tokens.
> pkcs11-tool -L
Available slots:
Slot 0 CCID Compatible
token label: PIV_II (PIV Card Holder pin)
token manuf: piv_II
token model: PKCS #15 SCard
token flags: rng, login required, PIN initialized, token initialized
serial num : 9876543210
Slot 1 CCID Compatible
token label: PIV_II
token manuf: piv_II
token model: PKCS #15 SCard
token flags: rng, PIN initialized, token initialized
serial num : 9876543210
Slot 2 (empty)
Slot 3 (empty)
Slot 4 (empty)
Slot 5 (empty)
Slot 6 (empty)
Slot 7 (empty)
>
> Our current code allows you to specify the slot like this:
>
> pkinit -X X509_user_identity=PKCS11:module_name:slotno
>
> but I don't know if that's in svn or not.
No it choked with the :0.
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list