[opensc-devel] Do smart card drivers generally support more than one PKCS#11 session?
stefw at collabora.co.uk
Wed Jun 22 04:56:41 PDT 2011
On 06/22/2011 12:22 PM, Nikos Mavrogiannopoulos wrote:
> On 06/21/2011 07:59 PM, Stef Walter wrote:
>>> I didn't like the pinfile attribute of pkcs11-urls much, because
>>> its semantics are undefined. I see it as an option that could cause
>>> compatibility issues between libraries using URLs. That's why I
>>> have ignored it so far.
>> Yes, I understand that the pinfile attribute is really ambiguous.
>> Until recently I saw it as an oddity and confusing. However I think
>> we can turn the ambiguity of the pinfile attribute to an advantage
>> (although I'm going to see if we can rename it to 'pin' on
>> saag at ietf.org). I've created an API in p11-kit which allows
>> registering of callbacks to handle specific (or any) pinfile. This
>> allows a UI (whether CLI or GUI) to register a pin callback. Then
>> gnutls (or other libraries) can detect the presence of a pinfile
>> attribute and use p11-kit to check if anyone has registered a
>> callback for that pinfile.
> This sounds dangerous in terms of code execution. If you put a memory
> address would someone be able to execute arbitrary code by modifying it?
> If you put an index to functions, would someone be able to
> manipulate index and data to perform other than the expected
> calculations? These might not be easy to ensure.
That's certainly not the way I've implemented that API. We register a
callback for a given pinfile string. So for example glib might register
a callback for:
When gnutls uses a PKCS#11 URI like:
It can use p11-kit to invoke the callback that the glib has previously
>>> Are there other alternatives to solve the issue at hand?
>> I've tried threading context specific callbacks throughout gnutls,
>> and it was a very tedious and messy exercise. I have an incomplete
>> patch somewhere if you're interested.
> What if every gnutls_pkcs11_privkey_t struct has its own pin function?
> Would that help?
That was my initial approach. However gnutls_pkcs11_privkey_t is only
part of the picture. Pretty much every function that accepts a PKCS#11
URI needs to accept callback information. In addition
gnutls_pkcs11_obj_t needs to have callbacks as well. And then there was
something else that needed it too, but I'm drawing a blank right now...
More information about the p11-glue