updating kcf.conf/pkcs11.conf in an IPS world

Darren J Moffat Darren.Moffat at Sun.COM
Fri Aug 15 01:32:43 PDT 2008 

I'm dropping pkg-discuss from this for now while we explore some other 
ideas.

If we implemented the fix for 6414175 to make the supportedlist no 
longer required then the only need for kcf.conf is policy.  That makes 
kcf.conf purely a local policy edited (by cryptoadm) file and all we 
need to deliver is an empty file.

To make this a reality we also need to change cryptoadm so that it can 
insert policy for any driver name regardless of the presence of the 
driver_names= "comments".

For pkcs11.conf we don't have a supportedlist anyway.  The pkcs11.conf 
currently contains the metaslot settings (the defaults in the delivered 
pkcs11.conf file match the compiled in defaults, if they don't the 
should) and the list of pkcs11 modules.   The list of pkcs11 modules 
used by default could be compiled into libpkcs11 in the short term and 
when we do the Highlander project to collapse libpkcs11/kernel/softtoken 
into one library that problem goes away anyway.

This means that like kcf.conf the pkcs11.conf file could be come purely 
a local policy file updated by cryptoadm.  We would need to do a similar 
relaxing of the file update as we do for kcf.conf to allow the policy 
entries to be placed in the file even if nothing was there before.

I see a big win here is that we don't need to do anything in the 
start/stop/refresh methods of cryptosvc for this to work.

If we do this I believe we remove all need for us to ever update 
kcf.conf and/or pkcs11.conf during a Solaris/OpenSolaris install/upgrade 
even on a system with hardware providers (ncp,n2cp,n2rng,dca).  The 
existing packages for mca (SCA-6000) won't do any harm to this by 
continuing to use the i.kcfconf class action script.  Similarly for any 
3rd party SVR4 packaged modules that use i.kcfconf and/or i.pkcs11conf. 
They will continue to work as originally designed (in the later case we 
actually need the SVR4 package to still update pkcs11.conf with the new 
provider anyway).  We will need new instructions for adding third party 
providers via IPS but until IPS is a little further along that is 
premature to worry about.


-- 
Darren J Moffat

More information about the crypto-discuss mailing list