NetworkManager & PKCS#11 remoting

Nikos Mavrogiannopoulos nmav at
Tue Jun 21 09:59:16 UTC 2016

On Tue, 2016-06-21 at 10:43 +0100, David Woodhouse wrote:
> On Mon, 2016-06-20 at 15:50 +0200, Lubomir Rintel wrote:
> > 
> > 
> > We're able to spawn a remoting agent in the user session and pass
> > the
> > open file descriptor to the daemons, but there doesn't seem to be a
> > way
> > to make the p11-kit or p11-kit-proxy users use that file handle.
> > I've
> > got it working by passing the file descriptor number via an
> > environment
> > variable [1] [2]; but perhaps there's a better way?
> > 
> > [1]
> > [2]
> Hm, at first glance I was going to suggest that it might be nicer to
> avoid the config and environment bits, and just add a new function
> p11_kit_load_remote_module_by_fd().
> I'm not entirely sure how we make that work overall though, if you're
> only really using GnuTLS and not otherwise talking directly to
> p11-kit. And if you're using through NSS or
> OpenSSL's
> engine_pkcs11 then you're another step removed from p11-kit.

What if there is a pkcs11 module called which all it
does it use the open fds (e.g., taken from env) if available and
operate as the proxied module.

In that case the process which receives the fds could override the
global p11-kit config and set p11-kit-remote as the only supported
module (that may not be currently possible). If that was possible
wouldn't that work with either p11-kit-proxy or p11-kit direct


More information about the p11-glue mailing list