On Wed, Jul 19, 2017 at 11:12 AM, Rick van Rein <[email protected]> wrote: > Hi, > >>> One thing that may be blocking it, is the fact that GnuTLS has a global >>> setup for PKCS #11, including the available tokens and their PINs. Is >>> that correct, or is there a way to get around this? >> >> Could you describe the ideal situation of handling smart cards for the >> use case above? > > The design alternative that I'm exploring is one in which the TLS Pool is > a networked component, serving to multiple daemons, and/or where each > daemon can run on behalf of various domain names. Ideally, the credentials > of each domain name would be kept separate in the TLS Pool, rather than > trusting the daemon to do the right thing. The daemon is closer to the > protocols and parsers of the application, after all, and the whole idea of > the TLS Pool is keeping application logic and security logic separated. > >> The situation in gnutls is that pkcs11 shared modules >> are loaded globally, pins etc are cached/used per private key, >> operation. > > The PINs may be the solution then. You didn't write down the precise > logic, right? Well you did, of course, in the code :) so maybe I should > take a look there. I had assumed PINs were strictly delegated to p11-kit.
You may want to check gnutls_pkcs11_privkey_t handling. Only the shared module should be global on its handling. Everything else is local to the object. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
