NetworkManager & PKCS#11 remoting

Lubomir Rintel lkundrak at
Mon Jun 20 13:50:24 UTC 2016


I've been looking into utilizing p11-kit with NetworkManager's VPN
plugins (and wpa_supplicant in future too). The p11-kit remoting
capability seems useful to connect the daemons with the tokens
accessible from the user session.

We're able to spawn a remoting agent in the user session and pass the
open file descriptor to the daemons, but there doesn't seem to be a way
to make the p11-kit or p11-kit-proxy users use that file handle. I've
got it working by passing the file descriptor number via an environment
variable [1] [2]; but perhaps there's a better way?


Another problem is that the p11-kit-remote tool needs a module name;
but the VPN daemon only knows the PKCS#11 URI. Would it make sense to
extend the tool to do the resolution as well? [3]


If we get a good certificate picker from Tyagi this would make it
considerably easier to comfortably use p11-kit for NetworkManager's

The overall design & the prototype is described here; I'm wondering if
it looks sane to you?

The links to the patches are at the very bottom of the bug linked


More information about the p11-glue mailing list