pkinit updates
Douglas E. Engert
deengert at anl.gov
Wed Dec 13 18:55:36 EST 2006
Replying to my self:
Douglas E. Engert wrote:
> More on the Solaris /usr/lib/libpkcs11.so ...
>
> Nicolas Williams wrote:
>
>
>>>>If the OS ships with a PKCS#11 implementation, then use that as the
>>>>default. (Solaris 10+, for example, has /usr/lib/libpkcs11.so.)
>>>
>
>>The softtoken provider uses "soft" tokens for storing keys (i.e., an
>>encrypted file in ~/.sunw/pkcs11_softtoken/private).
>>
>
> I will have to try the OpenSC pkcs11-tool --module /usr/lib/libpkcs11.so
> after I build it tonight.
>
>
Well it built sooner then expected:
It has one slot, with a token labeled "Sun Metaslot" with lots
of methods, but no keys, certs or other objects.
Its a start. Now how can I get an OpenSC opensc-pkcs11.so signed
and called?
./pkcs11-tool --module /usr/lib/libpkcs11.so -I
Cryptoki version 2.20
Manufacturer Sun Microsystems, Inc.
Library Sun Crypto Softtoken (ver 1.212)
./pkcs11-tool --module /usr/lib/libpkcs11.so -L
Available slots:
Slot 0 Sun Metaslot
token label: Sun Metaslot
token manuf: Sun Microsystems, Inc.
token model: 1.0
token flags: rng, login required, PIN initialized, token initialized, other flags=0x80200
serial num :
./pkcs11-tool --module /usr/lib/libpkcs11.so -O
./pkcs11-tool --module /usr/lib/libpkcs11.so -M
Supported mechanisms:
RSA-PKCS-KEY-PAIR-GEN, keypairgen
RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt, other flags=0x25000
RSA-X-509, sign, verify, wrap, unwrap, encrypt, decrypt, other flags=0x25000
MD5-RSA-PKCS, sign, verify
SHA1-RSA-PKCS, sign, verify
DSA-KEY-PAIR-GEN, keypairgen
DSA, sign, verify
DSA-SHA1, sign, verify
DH-PKCS-KEY-PAIR-GEN, keypairgen
DH-PKCS-DERIVE, other flags=0x80000
mechtype-64, sign, verify
mechtype-65, sign, verify
mechtype-66, sign, verify
RC4-KEY-GEN, other flags=0x8000
RC4, encrypt, decrypt
DES-KEY-GEN, other flags=0x8000
DES-ECB, wrap, unwrap, encrypt, decrypt, other flags=0x20000
DES-CBC, wrap, unwrap, encrypt, decrypt, other flags=0x20000
DES-MAC, sign, verify
DES-MAC-GENERAL, sign, verify
DES-CBC-PAD, wrap, unwrap, encrypt, decrypt, other flags=0x20000
DES3-KEY-GEN, other flags=0x8000
DES3-ECB, wrap, unwrap, encrypt, decrypt, other flags=0x20000
DES3-CBC, wrap, unwrap, encrypt, decrypt, other flags=0x20000
DES3-CBC-PAD, wrap, unwrap, encrypt, decrypt, other flags=0x20000
MD5, digest
MD5-HMAC, sign, verify
MD5-HMAC-GENERAL, sign, verify
SHA-1, digest
SHA-1-HMAC, sign, verify
SHA-1-HMAC-GENERAL, sign, verify
mechtype-592, digest
mechtype-593, sign, verify
mechtype-594, sign, verify
mechtype-608, digest
mechtype-609, sign, verify
mechtype-610, sign, verify
mechtype-624, digest
mechtype-625, sign, verify
mechtype-626, sign, verify
SSL3-PRE-MASTER-KEY-GEN, other flags=0x8000
SSL3-MASTER-KEY-DERIVE, other flags=0x80000
SSL3-KEY-AND-MAC-DERIVE, other flags=0x80000
SSL3-MASTER-KEY-DERIVE-DH, other flags=0x80000
TLS-PRE-MASTER-KEY-GEN, other flags=0x8000
TLS-MASTER-KEY-DERIVE, other flags=0x80000
TLS-KEY-AND-MAC-DERIVE, other flags=0x80000
TLS-MASTER-KEY-DERIVE-DH, other flags=0x80000
mechtype-888, other flags=0x80000
SSL3-MD5-MAC, sign, verify
SSL3-SHA1-MAC, sign, verify
MD5-KEY-DERIVATION, other flags=0x80000
SHA1-KEY-DERIVATION, other flags=0x80000
mechtype-915, other flags=0x80000
mechtype-916, other flags=0x80000
mechtype-917, other flags=0x80000
PBE-SHA1-RC4-128, other flags=0x8000
PKCS5-PBKD2, other flags=0x8000
AES-KEY-GEN, other flags=0x8000
AES-ECB, wrap, unwrap, encrypt, decrypt, other flags=0x20000
AES-CBC, wrap, unwrap, encrypt, decrypt, other flags=0x20000
AES-CBC-PAD, wrap, unwrap, encrypt, decrypt, other flags=0x20000
mechtype-4240, other flags=0x8000
mechtype-4241, wrap, unwrap, encrypt, decrypt, other flags=0x20000
P.S. Who assigned the token label?
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list