NetworkManager & PKCS#11 remoting
Nikos Mavrogiannopoulos
nmav at redhat.com
Tue Jun 21 09:12:42 UTC 2016
On Tue, 2016-06-21 at 08:49 +0100, David Woodhouse wrote:
> On Tue, 2016-06-21 at 09:39 +0200, Nikos Mavrogiannopoulos wrote:
> >
> > On Mon, 2016-06-20 at 15:07 +0100, David Woodhouse wrote:
> > >
> > > On Mon, 2016-06-20 at 15:50 +0200, Lubomir Rintel wrote:
> > > >
> > > >
> > > >
> > > > Another problem is that the p11-kit-remote tool needs a module
> > > > name;
> > > > but the VPN daemon only knows the PKCS#11 URI. Would it make
> > > > sense
> > > > to
> > > > extend the tool to do the resolution as well? [3]
> > > >
> > > > [3] https://github.com/NetworkManager/p11-kit/commit/254ae1a6.p
> > > > atch
> > > No. It should be using p11-kit-proxy.so (or loading the full set
> > > of
> > > modules as indicated by the p11-kit config).
> > Why is that? Why not resolve the URL provided and remote only the
> > required module?
> I thought we were generally trying to move away from explicitly
> loading
> specific modules. If the correct set of modules is expected to be
> loaded *automatically* by p11-kit config, then it shouldn't really be
> *necessary* to provide it.
>
> I'm not quite sure how the above patch works, anyway.
>
> If I have a PKCS#11 URI of 'pkcs11:manufacturer=piv_II;id=%01' and it
> doesn't have access to the card reader. Or if I have a URI of an
> object
> in my personal gnome-keyring token... how does it get resolved to a
> module name?
I think this is what Lubomir is suggesting. He has a URL but doesn't
necessarily have a module name. That's why he would like to use p11-kit
remote with a URL instead of specifying a specific module.
My understanding is that he would like to make process A:
p11-kit remote 'pkcs11:mykey'
and pass the "remote" file descriptors to process B. His problem (which
his patches address) then in process B, as I understand it, is how to
use these file descriptors as a proper PKCS#11 module.
regards,
Nikos
More information about the p11-glue
mailing list