Nicolas.Williams at sun.com
Wed Dec 13 18:51:59 EST 2006
On Wed, Dec 13, 2006 at 05:32:37PM -0600, Douglas E. Engert wrote:
> More on the Solaris /usr/lib/libpkcs11.so ...
> Nicolas Williams wrote:
> >Oh no, it's a smartcard interface too. There are multiple providers.
> Great, Which providers?
Solaris ships three: "kernel," "softtoken" and "metaslot." Metaslot is
a virtual provider that unifies the features of the others. Softtoken
is a software implementation of various algorithms and it provides
file-backed storage (secrets being encrypted in the token PIN). Kernel
interfaces with HW tokens (admittedly I don't know the full list; I'll
ask the experts).
> >And it's an open plug-in interface: you can add third party providers,
> >and the PKCS#11 API is the SPI. The only catch is that you have to ask
> >Sun to sign your providers' shared objects (the framework won't load
> >providers that aren't signed), but it's easy enough to get these
> How do I get an OpenSC version signed? How about a UMich Kx509/libkpkcs11
> version signed. This sounds like the hastle Micrsoft has with signing
See "Appendix F Packaging and Signing Cryptographic Providers" of the
"Solaris Security for Developers Guide":
> >The softtoken provider uses "soft" tokens for storing keys (i.e., an
> >encrypted file in ~/.sunw/pkcs11_softtoken/private).
> The UMich kxlist can write a kx509 cert and key, what would it take
> to get in in this format?
Use PKCS#11! Or the pktool(1) command:
pktool import [token=token_spec] infile=file
(the file being in PKCS#12 format, passphrase-protected or not)
> Some PKINIT questions then. If it used your PKCS11, With multiple
> providers, say a CAC pkcs11 and a PIV pkcs11, what would PKINIT see
> with regards to slots?
Good question. I'll asked someone who'd know.
> I will have to try the OpenSC pkcs11-tool --module /usr/lib/libpkcs11.so
> after I build it tonight.
Please do, and let us know how it goes. Thanks,
More information about the krbdev