NetworkManager & PKCS#11 remoting
Nikos Mavrogiannopoulos
nmav at redhat.com
Wed Jun 22 09:53:31 UTC 2016
On Tue, 2016-06-21 at 17:00 +0100, David Woodhouse wrote:
> On Tue, 2016-06-21 at 15:01 +0200, Nikos Mavrogiannopoulos wrote:
> >
> >
> > This may not be workable. p11-kit does only the parsing of the URL
> > but
> > does not pass info to the underlying module or so. Thus even if it
> > could see v-remote-fd=5, I don't think it could do anything useful
> > with
> > it (except of course setting an environment variable).
> Or calling a p11_kit_remote_module_from_fd() function.
>
> >
> > For module-path, the story is the same, but in that case
> > applications
> > and libs that use it (such as gnutls) most likely will support it
> > directly once p11-kit can parse it.
> It could be largely parallel, surely? If we can teach GnuTLS to see
> the
> module-path attribute and call p11_kit_module_load() and use the
> resulting module, then we can also teach it to do the same for a
> remote-fd. The only real difference is that it's calling a different
> p11-kit function.
On second view we may not need any gnutls changes for module-path. If
that module is already initialized (e.g., already registered via p11-
kit), then only p11_kit_uri_match_module_info() need to consider that
information.
For remote-fd, it would require changes to every application using p11-
kit (engine_pkcs11, etc). I don't see how it could work without hard-
coding it to every application.
regards,
Nikos
More information about the p11-glue
mailing list