System Administration Guide: Security Services

ProcedureHow to Prevent the Use of a User-Level Mechanism

If some of the cryptographic mechanisms from a library provider should not be used, you can remove selected mechanisms. This procedure uses the DES mechanisms in the pkcs11_softtoken library as an example.

  1. Become superuser or assume a role that includes the Crypto Management rights profile.

    To create a role that includes the Crypto Management rights profile and assign the role to a user, see Example 9–7.

  2. List the mechanisms that are offered by a particular user-level software provider.


    % cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
    /usr/lib/security/$ISA/pkcs11_softtoken.so:
    CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN,
    CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GEN,
    CKM_AES_CBC,CKM_AES_CBC_PAD,CKM_AES_ECB,CKM_AES_KEY_GEN,
    …
  3. List the mechanisms that are available for use.


    $ cryptoadm list -p
    user-level providers:
    =====================
    …
    /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled.
    random is enabled.
    …
  4. Disable the mechanisms that should not be used.


    $ cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so \
    > mechanism=CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB
    
  5. List the mechanisms that are available for use.


    $ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
    /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled,
    except CKM_DES_ECB,CKM_DES_CBC_PAD,CKM_DES_CBC. random is enabled.

Example 14–22 Enabling a User-Level Software Provider Mechanism

In the following example, a disabled DES mechanism is again made available for use.


$ cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so:
CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN,
CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GEN,
…
$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled,
except CKM_DES_ECB,CKM_DES_CBC_PAD,CKM_DES_CBC. random is enabled.
$ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so \
> mechanism=CKM_DES_ECB
$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled,
except CKM_DES_CBC_PAD,CKM_DES_CBC. random is enabled.


Example 14–23 Enabling All User-Level Software Provider Mechanisms

In the following example, all mechanisms from the user-level library are enabled.


$ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so all
$ cryptoadm list -p provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so
/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled.
random is enabled.


Example 14–24 Permanently Removing User-Level Software Provider Availability

In the following example, the libpkcs11.so.1 library is removed.


$ cryptoadm uninstall provider=/opt/SUNWconn/lib/\$ISA/libpkcs11.so.1
$ cryptoadm list
user-level providers:
    /usr/lib/security/$ISA/pkcs11_kernel.so
    /usr/lib/security/$ISA/pkcs11_softtoken.so

kernel software providers:
…