pkinit updates

Douglas E. Engert deengert at
Wed Dec 13 18:32:37 EST 2006

More on the Solaris /usr/lib/ ...

Nicolas Williams wrote:

> On Wed, Dec 13, 2006 at 03:50:02PM -0600, Douglas E. Engert wrote:

>>>If the OS ships with a PKCS#11 implementation, then use that as the
>>>default.  (Solaris 10+, for example, has /usr/lib/
> Wow... what?  It's been there for a while...
>>         But this is not a smartcard interface as best as I can tell,
>>it is a crypto provider for interal use only. If it can use a smartcard,
>>please correct me if I am wrong!
> Oh no, it's a smartcard interface too.  There are multiple providers.

Great, Which providers?

> And it's an open plug-in interface: you can add third party providers,
> and the PKCS#11 API is the SPI.  The only catch is that you have to ask
> Sun to sign your providers' shared objects (the framework won't load
> providers that aren't signed), but it's easy enough to get these
> signatures.

How do I get an OpenSC version signed? How about a UMich Kx509/libkpkcs11
version signed. This sounds like the hastle Micrsoft has with signing

> The softtoken provider uses "soft" tokens for storing keys (i.e., an
> encrypted file in ~/.sunw/pkcs11_softtoken/private).

The UMich kxlist can write a kx509 cert and key, what would it take
to get in in this format?

Some PKINIT questions then. If it used your PKCS11, With multiple
providers, say a CAC pkcs11 and a PIV pkcs11, what would PKINIT see
with regards to slots?

I will have to try the OpenSC pkcs11-tool --module /usr/lib/
after I build it tonight.

> The kernel provider supports HW tokens.
>>>But how many smartcards should I have to carry around with me?
>>How many credit card do you carry?
> I have several; I carry one that I use for everything, and a backup one.
> Not a perfect analogy, but I see your point.
> Nico


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list