NetworkManager & PKCS#11 remoting

David Woodhouse dwmw2 at infradead.org
Tue Jun 21 09:43:25 UTC 2016


On Mon, 2016-06-20 at 15:50 +0200, Lubomir Rintel wrote:
> 
> We're able to spawn a remoting agent in the user session and pass the
> open file descriptor to the daemons, but there doesn't seem to be a way
> to make the p11-kit or p11-kit-proxy users use that file handle. I've
> got it working by passing the file descriptor number via an environment
> variable [1] [2]; but perhaps there's a better way?
> 
> [1] https://github.com/NetworkManager/p11-kit/commit/e92db917.patch
> [2] https://github.com/NetworkManager/p11-kit/commit/fcb5a24.patch

Hm, at first glance I was going to suggest that it might be nicer to
avoid the config and environment bits, and just add a new function
p11_kit_load_remote_module_by_fd().

I'm not entirely sure how we make that work overall though, if you're
only really using GnuTLS and not otherwise talking directly to
p11-kit. And if you're using p11-kit-proxy.so through NSS or OpenSSL's
engine_pkcs11 then you're another step removed from p11-kit.

But still I *really* don't like the P11_REMOTE_FD environment variable,
and EVEN having equivalent behaviour with a global variable set by a
'p11_kit_set_remote_fd()' would seem nicer than that.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/p11-glue/attachments/20160621/913a49df/attachment.bin>


More information about the p11-glue mailing list