Do smart card drivers generally support more than one PKCS#11 session?
stefw at collabora.co.uk
Fri Jun 10 03:11:37 PDT 2011
On 06/09/2011 09:37 PM, Stef Walter wrote:
> I'm working on integrating smart card support via PKCS#11 into glib and
> gcr (part of gnome-keyring). We're integrating with GnuTLS for TLS support.
> I'd like to be able to do a C_Login in my code, and then pass off the
> URL to Gnutls. GnuTLS would then open another session, recognize that
> we're already logged in (this may need a slight tweak in the gnutls
> code) and then proceed without prompting the user.
After sleeping on this idea, I realized it won't work in certain cases.
In particular when the key has CKA_ALWAYS_AUTHENTICATE and requires
C_Login with CKU_CONTEXT_SPECIFIC.
> The reason for this is that the gnutls callback for prompting the user
> to login is a global one, and hard to use from another library without
> assuming that the caller is the only gnutls consumer.
I'll instead propose a patch to gnutls which associates the login
callback with the private key.
More information about the p11-glue