PR#12: Use p11-kit to find an installed PKCS11 token - rpms/krb5

rpms / krb5

#12 Use p11-kit to find an installed PKCS11 token

Closed 2 years ago by jrische. Opened 2 years ago by jrische.

rpms/ jrische/krb5 rawhide into rawhide

Use p11-kit to find an installed PKCS11 token

Julien Rische • 2 years ago

419c04a

downstream-Use-p11-kit-to-find-an-installed-PKCS11-token.patch

file added

+44

		`@@ -0,0 +1,44 @@`
		`+ From 3395ec9f66c5b5c4c1faf6b53f07ec40fdf714b3 Mon Sep 17 00:00:00 2001`
		`+ From: Julien Rische <jrische@redhat.com>`
		`+ Date: Tue, 5 Apr 2022 08:49:14 +0200`
		`+ Subject: [PATCH] Use p11-kit to find an installed PKCS11 token`
		`+`
		`+ PKINIT is using opensc-pkcs11.so by default. Any other module has to be`
		`+ configured explicitly.`
		`+`
		`+ Relpacing it by p11-kit-proxy.so enables PKINIT to use any other`
		`+ available token.`
		`+ ---`
		`+ doc/admin/conf_files/krb5_conf.rst \| 2 +-`
		`+ src/plugins/preauth/pkinit/pkinit.h \| 2 +-`
		`+ 2 files changed, 2 insertions(+), 2 deletions(-)`
		`+`
		`+ diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst`
		`+ index adba8238d..cad9979dc 100644`
		`+ --- a/doc/admin/conf_files/krb5_conf.rst`
		`+ +++ b/doc/admin/conf_files/krb5_conf.rst`
		`+ @@ -1020,7 +1020,7 @@ information for PKINIT is as follows:`
		`+ All keyword/values are optional. modname specifies the location`
		`+ of a library implementing PKCS #11. If a value is encountered`
		`+ with no keyword, it is assumed to be the modname. If no`
		+ - module-name is specified, the default is ``opensc-pkcs11.so``.
		+ + module-name is specified, the default is ``p11-kit-proxy.so``.
		+ ``slotid=`` and/or ``token=`` may be specified to force the use of
		`+ a particular smard card reader or token if there is more than one`
		+ available. ``certid=`` and/or ``certlabel=`` may be specified to
		`+ diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h`
		`+ index b437fd53f..f8cb0a2dd 100644`
		`+ --- a/src/plugins/preauth/pkinit/pkinit.h`
		`+ +++ b/src/plugins/preauth/pkinit/pkinit.h`
		`+ @@ -42,7 +42,7 @@`
		`+ #ifndef WITHOUT_PKCS11`
		`+ #include "pkcs11.h"`
		`+`
		`+ -#define PKCS11_MODNAME "opensc-pkcs11.so"`
		`+ +#define PKCS11_MODNAME "p11-kit-proxy.so"`
		`+ #define PK_SIGLEN_GUESS 1000`
		`+ #define PK_NOSLOT 999999`
		`+ #endif`
		`+ --`
		`+ 2.35.1`
		`+`

krb5.spec

file modified

+6 -1

		`@@ -42,7 +42,7 @@`
		`Summary: The Kerberos network authentication system`
		`Name: krb5`
		`Version: 1.19.2`
		`- Release: %{?zdpd}9%{?dist}`
		`+ Release: %{?zdpd}10%{?dist}`

		`# rharwood has trust path to signing key and verifies on check-in`
		`Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz`
		`@@ -97,6 +97,7 @@`
		`Patch37: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch`
		`Patch38: krb5-krad-remote.patch`
		`Patch39: krb5-krad-larger-attrs.patch`
		`+ Patch40: downstream-Use-p11-kit-to-find-an-installed-PKCS11-token.patch`

		`License: MIT`
		`URL: https://web.mit.edu/kerberos/www/`
		`@@ -217,6 +218,7 @@`
		`%package pkinit`
		`Summary: The PKINIT module for Kerberos 5`
		`Requires: %{name}-libs%{?_isa} = %{version}-%{release}`
		`+ Recommends: p11-kit >= 0.24.1-2`
		`Obsoletes: krb5-pkinit-openssl < %{version}-%{release}`
		`Provides: krb5-pkinit-openssl = %{version}-%{release}`

		`@@ -646,6 +648,9 @@`
		`%{_libdir}/libkadm5srv_mit.so.*`

		`%changelog`
		`+ * Tue Apr 05 2022 Julien Rische <jrische@redhat.com> - 1.19.2-10`
		`+ - Use p11-kit to find tokens for PKINIT`
		`+`
		`* Tue Apr 05 2022 Alexander Bokovoy <abokovoy@redhat.com> - 1.19.2-9`
		`- Fix libkrad client cleanup`
		`- Fixes rhbz#2072059`

jrische commented 2 years ago

PKINIT is using opensc-pkcs11.so by default. Any other module has to be configured explicitly.

Relpacing it by p11-kit-proxy.so enables PKINIT to use any other available token.

Resolves: rhbz#2073274

jjelen commented on line 14 of krb5.spec 2 years ago

is there a reason not to have this in upstream or have it build-time configurable?

rebased onto 419c04a

2 years ago

jrische commented 2 years ago

Greg Hudson approved the idea of having a build parameter to set the default PKCS11 module. I will open a PR upstream instead.

Pull-Request has been closed by jrische

2 years ago

Metadata

Assignee

None

Tags

No Tags

Changes Summary 2

+44

file added