Load a PKCS#11 module for NSS to use
Stef Walter
stefw at redhat.com
Tue Aug 12 01:32:57 PDT 2014
On 12.08.2014 10:18, David Woodhouse wrote:
> On Tue, 2014-08-12 at 09:38 +0200, Stef Walter wrote:
>> On 12.08.2014 08:12, Watson Sato wrote:
>>> Hi,
>>>
>>> I'm a GSoC student and I'm developing a PKCS#11 module for Evolution.
>>> I'm about to integrate it into Evolution, and planning to load it by
>>> calling SECMOD_LoadUserModule().
>>>
>>> Some people recommended me to take a look on other approaches, like Gck
>>> and p11-kit.
>>> For what I have tried and tested, with both approaches I managed to load
>>> and initialize the modules. But the references to the modules remain in
>>> the application, and I need NSS to be able to use the module.
>>>
>>> Is there a way for an application to load a PKCS#11 module and make it
>>> available to NSS with p11-kit?
>>
>> Well, sorta ... You can use the p11-kit-proxy.so module. By using that
>> all configured p11-kit modules become available to NSS.
>>
>> But I think what you're trying to do SECMOD_LoadUserModule() is the
>> perfect function to use. As I understand it, you're not trying to build
>> a globally configured/installed module, but rather something specific to
>> the running Evolution process. There's no need to involve p11-kit in the
>> loading.
>
> Yes and no.
>
> In fact, this module is exposing X.509 certificates from Evolution
> addressbooks. Yes, the *primary* use case is for Evolution itself, so
> you can send S/MIME-encrypted mail to someone in your addressbook, and
> you don't throw your computer out the window in frustration when it says
> it has no certificate for them.... despite clearly showing the
> appropriate X-CERT-X509 field when you look at their addressbook entry.
This is indeed a very good thing to fix.
> But actually, there's no reason why the data in the same PKCS#11 module
> shouldn't be made available to other crypto users in the general case...
> which is where p11-kit comes in.
Perhaps, but you'll quickly get into the weeds here. It's all possible
... but it's not that pretty.
* You'll *definitely* want to use the 'isolate' functionality in
p11-kit 0.21.x, since GLib (and by extension Camel, and whatever) is
not unloadable and would crash when your PKCS#11 module is unloaded.
* Make sure to use a *enable-in* directive so random PKCS#11 aware
applications (as in stuff using gnutls) don't try to load EDS just
because they load your module. Whitelist the use of your module.
* In order to use NSS with p11-kit you currently have to use
p11-kit-proxy.so ... so loading your module is dependent on
p11-kit configuration. You have no explicit control here from within
evolution, although you can configure things appropriately at a
distro level.
* ... and I'm sure there's several more issues that will eventually
make you cry. Solvable yes ... but painful.
I think you're overcomplicating the actual real world use case above by
dragging all this in. I would again suggest making it work with
Evolution first, and then worrying about everything else in a later
iteration.
Stef
More information about the p11-glue
mailing list