Load a PKCS#11 module for NSS to use

David Woodhouse dwmw2 at infradead.org
Tue Aug 12 01:18:32 PDT 2014

On Tue, 2014-08-12 at 09:38 +0200, Stef Walter wrote:
> On 12.08.2014 08:12, Watson Sato wrote:
> > Hi,
> > 
> > I'm a GSoC student and I'm developing a PKCS#11 module for Evolution.
> > I'm about to integrate it into Evolution, and planning to load it by
> > calling SECMOD_LoadUserModule().
> > 
> > Some people recommended me to take a look on other approaches, like Gck
> > and p11-kit.
> > For what I have tried and tested, with both approaches I managed to load
> > and initialize the modules. But the references to the modules remain in
> > the application, and I need NSS to be able to use the module.
> > 
> > Is there a way for an application to load a PKCS#11 module and make it
> > available to NSS with p11-kit?
> Well, sorta ... You can use the p11-kit-proxy.so module. By using that
> all configured p11-kit modules become available to NSS.
> But I think what you're trying to do SECMOD_LoadUserModule() is the
> perfect function to use. As I understand it, you're not trying to build
> a globally configured/installed module, but rather something specific to
> the running Evolution process. There's no need to involve p11-kit in the
> loading.

Yes and no.

In fact, this module is exposing X.509 certificates from Evolution
addressbooks. Yes, the *primary* use case is for Evolution itself, so
you can send S/MIME-encrypted mail to someone in your addressbook, and
you don't throw your computer out the window in frustration when it says
it has no certificate for them.... despite clearly showing the
appropriate X-CERT-X509 field when you look at their addressbook entry.

But actually, there's no reason why the data in the same PKCS#11 module
shouldn't be made available to other crypto users in the general case...
which is where p11-kit comes in.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/p11-glue/attachments/20140812/4aa2425f/attachment.bin>

More information about the p11-glue mailing list