pkcs#11 URIs

Dan Winship danw at
Fri Jul 27 06:21:55 PDT 2012

On 07/27/2012 04:30 AM, David Woodhouse wrote:
> What we *haven't* solved yet is the configuration GUI, which is why you
> have to edit the config manually. I've been pointed at
> but AFAICT
> there's no existing simple way to make a GcrCollection from all the
> available certs in all the tokens known to p11-kit.

Yeah, we're probably going to need some new widgets and stuff.

> (Note that "all the certs which have corresponding private keys" is not
> what we need, because sometimes the private keys aren't *visible* until
> you log in to the token.

Hm... it's not even possible to see that the key exists?

> And then there's the fact that we
> *also* want to be able to choose a file from the local file system.

Right, although do we want "choose a file and then import it into
gnome-keyring and use PKCS#11" or "choose a file and then pass it to
openconnect as a filename" ?

> So yes, Dan's suggestion that we make pkcs11-helper use PKCS#11 URLs
> seems sane. Note that we'll *also* want to make it load the tokens
> specified in /etc/pkcs11/modules/, or it still won't work because it
> won't *load* the right tokens and won't be able to resolve URLs.

Not a problem:

  openvpn --pkcs11-providers /usr/lib64/ --pkcs-id ...

> Perhaps we want to make pkcs11-helper *use* p11-kit internally?

The pkcs11-helper author didn't seem to like the idea of having the
modules configured globally:

-- Dan

More information about the p11-glue mailing list