gnome-keyring Dependency on p11-kit

Stef Walter stefw at gnome.org
Fri Jul 8 08:08:01 PDT 2011


On 07/08/2011 02:02 PM, Martin Paljak wrote:
> Has anyone come up with a comparison chart about different "PKCS#11
> development libraries" outlining the differences and some subjective
> pros and cons of the wrappers? I know p11-kit, libp11, pkcs11-helper,
> pakchois ... I guess there are more. The only common thing is "they
> are all in C". For example, libp11 is quite limited to RSA/PKCS#1 and
> hides P11, meaning it is somewhat challenging to use the plain
> PKCS#11.
> 
> Just curious, would like to do it myself once I get the time to dig
> into it but I guess you might be more aware of the details.

I haven't used all of them. I do know some about pakchois and p11-kit:

p11-kit isn't a generic PKCS#11 wrapper (at least not yet, heh). The
only thing it wraps is the loading and initializing of PKCS#11 modules.
This includes configuration, and reference counted initialization. In
reality though, this is a big part of any PKCS#11 development libraries.

In addition it provides a reference implementation of PKCS#11 URIs,
including support for using the 'pinfile' attribute to get PINs from the
user or other sources.

The goal of p11-kit is the interoperability of various applications
using PKCS#11. Because of this it can't be used in tree, but must be
used as a shared library.

It's designed to be small and have low dependencies, so much so that I
think other PKCS#11 development libraries could depend on it to solve
the reference counting and configuration problems. GnuTLS,
gnome-keyring, and hopefully soon glib-networking have p11-kit dependencies.

p11-kit has a PKCS#11 module mode which can be used with any PKCS#11
application, even those not specifically designed to use p11-kit.

Pakchois is a thin wrapper around PKCS#11. You still have to understand
how PKCS#11 works, but it handles the loading and book keeping bits for
you. So it's not super limited. It can be used in tree, instead of as a
shared library.

Joe Orton and I were talking about the possibility of merging pakchois
or its functionality into p11-kit, but we haven't really gotten that far.

Hope that's a little help. I haven't looked too deeply at the other
libraries, and haven't built up any comparisons of any sort.

Cheers,

Stef


More information about the p11-glue mailing list