| |
@@ -0,0 +1,44 @@
|
| |
+ From 3395ec9f66c5b5c4c1faf6b53f07ec40fdf714b3 Mon Sep 17 00:00:00 2001
|
| |
+ From: Julien Rische <jrische@redhat.com>
|
| |
+ Date: Tue, 5 Apr 2022 08:49:14 +0200
|
| |
+ Subject: [PATCH] Use p11-kit to find an installed PKCS11 token
|
| |
+
|
| |
+ PKINIT is using opensc-pkcs11.so by default. Any other module has to be
|
| |
+ configured explicitly.
|
| |
+
|
| |
+ Relpacing it by p11-kit-proxy.so enables PKINIT to use any other
|
| |
+ available token.
|
| |
+ ---
|
| |
+ doc/admin/conf_files/krb5_conf.rst | 2 +-
|
| |
+ src/plugins/preauth/pkinit/pkinit.h | 2 +-
|
| |
+ 2 files changed, 2 insertions(+), 2 deletions(-)
|
| |
+
|
| |
+ diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
| |
+ index adba8238d..cad9979dc 100644
|
| |
+ --- a/doc/admin/conf_files/krb5_conf.rst
|
| |
+ +++ b/doc/admin/conf_files/krb5_conf.rst
|
| |
+ @@ -1020,7 +1020,7 @@ information for PKINIT is as follows:
|
| |
+ All keyword/values are optional. *modname* specifies the location
|
| |
+ of a library implementing PKCS #11. If a value is encountered
|
| |
+ with no keyword, it is assumed to be the *modname*. If no
|
| |
+ - module-name is specified, the default is ``opensc-pkcs11.so``.
|
| |
+ + module-name is specified, the default is ``p11-kit-proxy.so``.
|
| |
+ ``slotid=`` and/or ``token=`` may be specified to force the use of
|
| |
+ a particular smard card reader or token if there is more than one
|
| |
+ available. ``certid=`` and/or ``certlabel=`` may be specified to
|
| |
+ diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
|
| |
+ index b437fd53f..f8cb0a2dd 100644
|
| |
+ --- a/src/plugins/preauth/pkinit/pkinit.h
|
| |
+ +++ b/src/plugins/preauth/pkinit/pkinit.h
|
| |
+ @@ -42,7 +42,7 @@
|
| |
+ #ifndef WITHOUT_PKCS11
|
| |
+ #include "pkcs11.h"
|
| |
+
|
| |
+ -#define PKCS11_MODNAME "opensc-pkcs11.so"
|
| |
+ +#define PKCS11_MODNAME "p11-kit-proxy.so"
|
| |
+ #define PK_SIGLEN_GUESS 1000
|
| |
+ #define PK_NOSLOT 999999
|
| |
+ #endif
|
| |
+ --
|
| |
+ 2.35.1
|
| |
+
|
| |
PKINIT is using opensc-pkcs11.so by default. Any other module has to be configured explicitly.
Relpacing it by p11-kit-proxy.so enables PKINIT to use any other available token.
Resolves: rhbz#2073274