pkcs#11 URIs

Stef Walter stefw at
Fri Jul 27 00:57:42 PDT 2012

I hope it's okay if I CC this to the p11-glue mailing list, and David
who's working on some of this stuff too...

On 07/27/2012 12:27 AM, Dan Winship wrote:
> OK, so to use PKCS#11 certs for NM VPN plugins, we need to pass some
> sort of stringified certificate identifier to the VPN program.
> What's the status of draft-pechanec-pkcs11uri? Google doesn't seem to
> turn up discussion of it anywhere. Is it looking likely to be published?

Yes, there's been a few revisions. But it's still going through the
process. Here's a handy page about it:

> If so, do we want to retroactively declare that
> g_tls_database_create_certificate_handle() definitely always returns a
> pkcs11 URI for certificates retrieved from pkcs11 databases?

Yes, that was the idea. We would get a file: uri for the
GTlsFileDatabase (and friends) and a pkcs11: uri for the pkcs11
databases. But yes, we should document it.

> That would solve the problem for openconnect (which uses gnutls and thus
> p11-kit). 

BTW, David Woodhouse has been hacking on that and has some patches working.

openvpn uses pkcs11-helper though, so we have to pass it a
> "serialized certificate id", which basically appears to mean "magic
> string that you have no way of knowing other than by using
> pkcs11-helper"... I guess if the pkcs11uri spec is happening, then we
> should write a patch to pkcs11-helper to make
> pkcs11h_certificate_deserializeCertificateId() accept PKCS#11 URIs in
> addition to its current format, and then we just win?

That would be great. David, is that the approach you took?


More information about the p11-glue mailing list