pkinit updates

Nicolas Williams Nicolas.Williams at
Wed Dec 13 18:51:59 EST 2006

On Wed, Dec 13, 2006 at 05:32:37PM -0600, Douglas E. Engert wrote:
> More on the Solaris /usr/lib/ ...
> Nicolas Williams wrote:
> >Oh no, it's a smartcard interface too.  There are multiple providers.
> Great, Which providers?

Solaris ships three: "kernel," "softtoken" and "metaslot."  Metaslot is
a virtual provider that unifies the features of the others.  Softtoken
is a software implementation of various algorithms and it provides
file-backed storage (secrets being encrypted in the token PIN).  Kernel
interfaces with HW tokens (admittedly I don't know the full list; I'll
ask the experts).

> >And it's an open plug-in interface: you can add third party providers,
> >and the PKCS#11 API is the SPI.  The only catch is that you have to ask
> >Sun to sign your providers' shared objects (the framework won't load
> >providers that aren't signed), but it's easy enough to get these
> >signatures.
> How do I get an OpenSC version signed? How about a UMich Kx509/libkpkcs11
> version signed. This sounds like the hastle Micrsoft has with signing
> CSPs.

See "Appendix F Packaging and Signing Cryptographic Providers" of the
"Solaris Security for Developers Guide":

> >The softtoken provider uses "soft" tokens for storing keys (i.e., an
> >encrypted file in ~/.sunw/pkcs11_softtoken/private).
> >
> The UMich kxlist can write a kx509 cert and key, what would it take
> to get in in this format?

Use PKCS#11!  Or the pktool(1) command:

    pktool import [token=token_spec] infile=file

(the file being in PKCS#12 format, passphrase-protected or not)

> Some PKINIT questions then. If it used your PKCS11, With multiple
> providers, say a CAC pkcs11 and a PIV pkcs11, what would PKINIT see
> with regards to slots?

Good question.  I'll asked someone who'd know.

> I will have to try the OpenSC pkcs11-tool --module /usr/lib/
> after I build it tonight.

Please do, and let us know how it goes.  Thanks,


More information about the krbdev mailing list