gnome-keyring Dependency on p11-kit
Stef Walter
stefw at gnome.org
Fri Jul 8 08:08:01 PDT 2011
On 07/08/2011 02:02 PM, Martin Paljak wrote:
> Has anyone come up with a comparison chart about different "PKCS#11
> development libraries" outlining the differences and some subjective
> pros and cons of the wrappers? I know p11-kit, libp11, pkcs11-helper,
> pakchois ... I guess there are more. The only common thing is "they
> are all in C". For example, libp11 is quite limited to RSA/PKCS#1 and
> hides P11, meaning it is somewhat challenging to use the plain
> PKCS#11.
>
> Just curious, would like to do it myself once I get the time to dig
> into it but I guess you might be more aware of the details.
I haven't used all of them. I do know some about pakchois and p11-kit:
p11-kit isn't a generic PKCS#11 wrapper (at least not yet, heh). The
only thing it wraps is the loading and initializing of PKCS#11 modules.
This includes configuration, and reference counted initialization. In
reality though, this is a big part of any PKCS#11 development libraries.
In addition it provides a reference implementation of PKCS#11 URIs,
including support for using the 'pinfile' attribute to get PINs from the
user or other sources.
The goal of p11-kit is the interoperability of various applications
using PKCS#11. Because of this it can't be used in tree, but must be
used as a shared library.
It's designed to be small and have low dependencies, so much so that I
think other PKCS#11 development libraries could depend on it to solve
the reference counting and configuration problems. GnuTLS,
gnome-keyring, and hopefully soon glib-networking have p11-kit dependencies.
p11-kit has a PKCS#11 module mode which can be used with any PKCS#11
application, even those not specifically designed to use p11-kit.
Pakchois is a thin wrapper around PKCS#11. You still have to understand
how PKCS#11 works, but it handles the loading and book keeping bits for
you. So it's not super limited. It can be used in tree, instead of as a
shared library.
Joe Orton and I were talking about the possibility of merging pakchois
or its functionality into p11-kit, but we haven't really gotten that far.
Hope that's a little help. I haven't looked too deeply at the other
libraries, and haven't built up any comparisons of any sort.
Cheers,
Stef
More information about the p11-glue
mailing list