[opensc-devel] Do smart card drivers generally support more than one PKCS#11 session?

Stef Walter stefw at collabora.co.uk
Wed Jun 22 04:56:41 PDT 2011 

On 06/22/2011 12:22 PM, Nikos Mavrogiannopoulos wrote:
> On 06/21/2011 07:59 PM, Stef Walter wrote:
> 
>>> I didn't like the pinfile attribute of pkcs11-urls much, because 
>>> its semantics are undefined. I see it as an option that could cause
>>> compatibility issues between libraries using URLs. That's why I
>>> have ignored it so far.
>>
>> Yes, I understand that the pinfile attribute is really ambiguous. 
>> Until recently I saw it as an oddity and confusing. However I think 
>> we can turn the ambiguity of the pinfile attribute to an advantage 
>> (although I'm going to see if we can rename it to 'pin' on 
>> saag at ietf.org). I've created an API in p11-kit which allows 
>> registering of callbacks to handle specific (or any) pinfile. This 
>> allows a UI (whether CLI or GUI) to register a pin callback. Then 
>> gnutls (or other libraries) can detect the presence of a pinfile 
>> attribute and use p11-kit to check if anyone has registered a 
>> callback for that pinfile.
> 
> This sounds dangerous in terms of code execution. If you put a memory
> address would someone be able to execute arbitrary code by modifying it?
> If you put an index to functions, would someone be able to
> manipulate index and data to perform other than the expected
> calculations? These might not be easy to ensure.

That's certainly not the way I've implemented that API. We register a
callback for a given pinfile string. So for example glib might register
a callback for:

    callback:gtls-database

When gnutls uses a PKCS#11 URI like:

    pkcs11:id=%11%22%33%44;pinfile=callback:gtls-database

It can use p11-kit to invoke the callback that the glib has previously
registered.

>>> Are there other alternatives to solve the issue at hand?
>> I've tried threading context specific callbacks throughout gnutls, 
>> and it was a very tedious and messy exercise. I have an incomplete 
>> patch somewhere if you're interested.
> 
> What if every gnutls_pkcs11_privkey_t struct has its own pin function?
> Would that help?

That was my initial approach. However gnutls_pkcs11_privkey_t is only
part of the picture. Pretty much every function that accepts a PKCS#11
URI needs to accept callback information. In addition
gnutls_pkcs11_obj_t needs to have callbacks as well. And then there was
something else that needed it too, but I'm drawing a blank right now...

Cheers,

Stef

More information about the p11-glue mailing list