The Solaris Cryptographic Framework provides algorithms for several types of consumers:
User-level providers provide a PKCS #11 cryptographic interface to applications that are linked with the libpkcs11 library
Kernel software providers provide algorithms for IPsec, Kerberos, and other Solaris kernel components
Kernel hardware providers provide algorithms that are available to kernel consumers and to applications through the pkcs11_kernel library
List the providers in a brief format.
The contents and format of the providers list varies for different Solaris releases. Run the cryptoadm list command on your system to see the providers that your system supports.
Only those mechanisms at the user level are available for use by regular users.
% cryptoadm list User-level providers: Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so Kernel software providers: des aes arcfour blowfish ecc sha1 sha2 md4 md5 rsa swrand Kernel hardware providers: ncp/0 |
List the providers and their mechanisms in the Solaris Cryptographic Framework.
All mechanisms are listed in the following output. However, some of the listed mechanisms might be unavailable for use. To list only the mechanisms that the administrator has approved for use, see Example 14–20.
The output is truncated for display purposes.
% cryptoadm list -m User-level providers: ===================== Provider: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented. Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so Mechanisms: CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES_ECB CKM_DES_KEY_GEN CKM_DES_MAC_GENERAL ... CKM_ECDSA_SHA1 CKM_ECDH1_DERIVE Kernel software providers: ========================== des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC aes: CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,CKM_AES_GCM,CKM_AES_GMAC arcfour: CKM_RC4 blowfish: CKM_BLOWFISH_ECB,CKM_BLOWFISH_CBC ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1 sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL sha2: CKM_SHA256,CKM_SHA256_HMAC,CKM_SHA256_HMAC_GENERAL,CKM_SHA384,CKM_SHA384_HMAC, CKM_SHA384_HMAC_GENERAL,CKM_SHA512,CKM_SHA512_HMAC,CKM_SHA512_HMAC_GENERAL md4: CKM_MD4 md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS, CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS swrand: No mechanisms presented. Kernel hardware providers: ========================== ncp/0: CKM_DSA,CKM_RSA_X_509,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_DERIVE,CKM_EC_KEY_PAIR_GEN, CKM_ECDH1_DERIVE,CKM_ECDSA |
In the following example, all mechanisms that the user-level library, pkcs11_softtoken, offers are listed.
% cryptoadm list -m provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so Mechanisms: CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN, CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GEN, … CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_TLS_KEY_AND_MAC_DERIVE |
Policy determines which mechanisms are available for use. The administrator sets the policy. An administrator can choose to disable mechanisms from a particular provider. The -p option displays the list of mechanisms that are permitted by the policy that the administrator has set.
% cryptoadm list -p User-level providers: ===================== /usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled. /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_MD5. random is enabled. Kernel software providers: ========================== des: all mechanisms are enabled. aes: all mechanisms are enabled. arcfour: all mechanisms are enabled. blowfish: all mechanisms are enabled. ecc: all mechanisms are enabled. sha1: all mechanisms are enabled. sha2: all mechanisms are enabled. md4: all mechanisms are enabled. md5: all mechanisms are enabled. rsa: all mechanisms are enabled. swrand: random is enabled. Kernel hardware providers: ========================== ncp/0: all mechanisms are enabled. random is enabled. |