Network enabled SoftHSM

Stef Walter stefw at
Wed Apr 13 22:20:54 PDT 2011

I hope it's okay if I CC the p11-glue mailing list.

On 04/12/11 16:53, Simon Josefsson wrote:
> Hi Stef!  I didn't meet you at FOSDEM, but the pkcs11-proxy project
> reminded me about you again.. :-)

I was looking forward to meeting you, but must have missed you. We had a
great discussion about integration of applications crypto storage, which
resulted in this:

> My question is really about the gnome-keyring PKCS#11 protocol.  I have
> been thinking about a serialized PKCS#11 protocol over network for quite
> some time, and wanted to use something like that in a few projects.
> Have you documented your wire protocol? 

No, I haven't, and I didn't really imagine that it's a sane 'general'
solution to the problem. There are all sorts of corner case calls that
are not supported by the protocol.

In addition there's a fundamental problem: Multiple applications cannot
use a module loaded into a single process (like a daemon). Those
applications would see session objects of each other and PKCS#11
security and containment guarantees would be broken.

Gnome Keyring gets around this by using a dirty hack in its modules.
Initially I was interested in making this protocol a 'general' and
reusable component. But this is the main reason that I became less

Because of this problem, each client must have a separate process in the
daemon. That said there has been some renewed interest in making this
work. And perhaps we should split out the protocol into its own module.
A while back Joe Orton (if I recall correctly) came up with code that
did this.

There was some discussion about unstable modules at FOSDEM, and whether
we should split those into their own processes for security. This
protocol could work with that.

BTW, on another topic are you aware of this fundamental problem (and its



More information about the p11-glue mailing list