[opensc-devel] Do smart card drivers generally support more than one PKCS#11 session?
Stef Walter
stefw at collabora.co.uk
Tue Jun 21 10:59:09 PDT 2011
Sorry for taking so long to answer, was away for a week...
On 06/15/2011 11:28 PM, Nikos Mavrogiannopoulos wrote:
> On 06/13/2011 11:11 AM, Stef Walter wrote:
>> Since the PKCS#11 URI's say that the pinfile attribute of the URI
>> can be determined by the application, we can build something simple
>> in p11-kit and register callbacks so that one component (in the same
>> process) can provide the pin for another (like gnutls).
>
> I didn't like the pinfile attribute of pkcs11-urls much, because its
> semantics are undefined. I see it as an option that could cause
> compatibility issues between libraries using URLs. That's why I have
> ignored it so far.
Yes, I understand that the pinfile attribute is really ambiguous. Until
recently I saw it as an oddity and confusing.
However I think we can turn the ambiguity of the pinfile attribute to an
advantage (although I'm going to see if we can rename it to 'pin' on
saag at ietf.org).
I've created an API in p11-kit which allows registering of callbacks to
handle specific (or any) pinfile. This allows a UI (whether CLI or GUI)
to register a pin callback. Then gnutls (or other libraries) can detect
the presence of a pinfile attribute and use p11-kit to check if anyone
has registered a callback for that pinfile.
Using the above scheme we could implement some stock callbacks which could:
* Execute an application (as hinted in the spec)
* Read from a file (although I can't imagine this to be very useful)
These stock callbacks would obviously not be registered by default.
My use case is: I'd like to be able to register a callback from within
glib for a given URI, and then have it called by gnutls.
The API is here (subject to some fine tuning):
http://cgit.collabora.com/git/user/stefw/p11-kit.git/tree/p11-kit/pin.h?h=pinfile
> Are there other alternatives to solve the issue at hand?
I've tried threading context specific callbacks throughout gnutls, and
it was a very tedious and messy exercise. I have an incomplete patch
somewhere if you're interested.
This concept of registering a callback for the pinfile attribute gives
us a nice granularity for prompting for PINs. But I'm open to other
workable ideas.
Cheers,
Stef
More information about the p11-glue
mailing list