pkinit updates

Douglas E. Engert deengert at anl.gov
Wed Dec 13 18:32:37 EST 2006 

More on the Solaris /usr/lib/libpkcs11.so ...

Nicolas Williams wrote:

> On Wed, Dec 13, 2006 at 03:50:02PM -0600, Douglas E. Engert wrote:
> 

>>>If the OS ships with a PKCS#11 implementation, then use that as the
>>>default.  (Solaris 10+, for example, has /usr/lib/libpkcs11.so.)
>>
>>*WOW...*
> 
> 
> Wow... what?  It's been there for a while...
> 
> 
>>         But this is not a smartcard interface as best as I can tell,
>>it is a crypto provider for interal use only. If it can use a smartcard,
>>please correct me if I am wrong!
> 
> 
> Oh no, it's a smartcard interface too.  There are multiple providers.

Great, Which providers?

> 
> And it's an open plug-in interface: you can add third party providers,
> and the PKCS#11 API is the SPI.  The only catch is that you have to ask
> Sun to sign your providers' shared objects (the framework won't load
> providers that aren't signed), but it's easy enough to get these
> signatures.
> 

How do I get an OpenSC version signed? How about a UMich Kx509/libkpkcs11
version signed. This sounds like the hastle Micrsoft has with signing
CSPs.

> The softtoken provider uses "soft" tokens for storing keys (i.e., an
> encrypted file in ~/.sunw/pkcs11_softtoken/private).
> 

The UMich kxlist can write a kx509 cert and key, what would it take
to get in in this format?


Some PKINIT questions then. If it used your PKCS11, With multiple
providers, say a CAC pkcs11 and a PIV pkcs11, what would PKINIT see
with regards to slots?

I will have to try the OpenSC pkcs11-tool --module /usr/lib/libpkcs11.so
after I build it tonight.


> The kernel provider supports HW tokens.
> 
> 
>>>But how many smartcards should I have to carry around with me?
>>
>>How many credit card do you carry?
> 
> 
> I have several; I carry one that I use for everything, and a backup one.
> 
> Not a perfect analogy, but I see your point.
> 
> Nico

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list