pkcs#11 URIs

David Woodhouse dwmw2 at
Fri Jul 27 01:30:32 PDT 2012

On Fri, 2012-07-27 at 09:57 +0200, Stef Walter wrote:
> > That would solve the problem for openconnect (which uses gnutls and thus
> > p11-kit). 
> BTW, David Woodhouse has been hacking on that and has some patches working.

This is all already working in Fedora. If you manually edit
your /etc/NetworkManager/system-connections/FooVPN file, and set the
usercert= key to be a PKCS#11 URL, it all JustWorks™, with PIN callbacks
and everything.

What we *haven't* solved yet is the configuration GUI, which is why you
have to edit the config manually. I've been pointed at but AFAICT
there's no existing simple way to make a GcrCollection from all the
available certs in all the tokens known to p11-kit.

(Note that "all the certs which have corresponding private keys" is not
what we need, because sometimes the private keys aren't *visible* until
you log in to the token. So either we need to be able to select a cert
which appears not to have a corresponding private key, or we need to be
able to log in... to a token of the user's choice? To all tokens like
'p11tool --login --list-all' does? And then there's the fact that we
*also* want to be able to choose a file from the local file system.)

tl;dr: it isn't simple and I don't want it in NM-openconnect. It needs
to be somewhere central where it'll get loved and be consistent. So I've
mostly punted and hoped Dan would do it... Hello Dan :)

> openvpn uses pkcs11-helper though, so we have to pass it a
> > "serialized certificate id", which basically appears to mean "magic
> > string that you have no way of knowing other than by using
> > pkcs11-helper"... I guess if the pkcs11uri spec is happening, then we
> > should write a patch to pkcs11-helper to make
> > pkcs11h_certificate_deserializeCertificateId() accept PKCS#11 URIs in
> > addition to its current format, and then we just win?
> That would be great. David, is that the approach you took?

I don't use pkcs11-helper, so I've not taken any approach to this. In
OpenConnect you *only* get PKCS#11 support if built with GnuTLS.

I see the pkcs11-helper library has a lot of glue for using PKCS#11 keys
inside OpenSSL, creating an OpenSSL 'RSA' key with appropriate methods
on it, etc.  So my initial thought of "just rip pkcs11-helper out and
make openvpn use p11-kit" probably isn't the right one.

So yes, Dan's suggestion that we make pkcs11-helper use PKCS#11 URLs
seems sane. Note that we'll *also* want to make it load the tokens
specified in /etc/pkcs11/modules/, or it still won't work because it
won't *load* the right tokens and won't be able to resolve URLs. Perhaps
we want to make pkcs11-helper *use* p11-kit internally?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list