Alon Bar-Lev wrote:
pam_prompt should not be blocking, pam_prompt only displays information. If it's blocking, then there is something wrong with the function (or the application conversation part).Hello Ludovic,1. The new version prompt some annoying messages in X... This is related to the new pam_prompt addition when HAVE_SECURITY_PAM_EXT_H is defined.
No, I definately did not add all of NSS, it used NSS from a shared library. I'm not sure what code you think is NSS. What is there is the previous pam_pkcs11 api to the common directory, abstracted out to allow it to be bilingual.2. I've look at the code. It seems like you added the whole nss into the source... I don't understand why... You can use the external library files.
I'm not sure if you are looking at the same code. Can you give examples of where there isn't an abstraction? OpenSSL is replaces entirely. All the crypto library specific calls live in src/common. I did not change the openSSL names for things like certs, but provided typedef definitions to NSS CERTCertificates.3. Regarding the pkcs11-helper... The problem is that NSS addition is somewhat strange... I expected that it will replace OpenSSL entirely... So that you can run current PKCS#11 implementation with NSS... This requires the abstraction library for certificate and digest will be implemented as standalone, and use this throughout the whole package.
This was the original pam_pkcs11 semantic. I basically mapped around it as well. NSS prefers a higher level abstraction as well. I didn't want to break existing configurations, so maintained the funky 'slot number index to the selected module' from the previous pam_pkcs11. For NSS we usually don't the slot or the module. The output of 'select slot' is a crypto specific value, so you can use any abstraction you already have (NSS uses regular slot IDs, and keeps the module in the pam_pkcs11 context handle).If it had been so, it would been easy to offer alternative that uses NSS or OpenSSL as a crypto engine and NSS PKCS#11 implementation or pkcs11-helper implementation. I have one more problem regarding the slot number... For a strange reason the pam_pkcs11 bothers the user with numeric slot/string number... What happens if there are several providers? Readers? etc... For this reason I abstract it in pkcs11-helper... I wished to removed this one from pam_pkcs11 so that all available certificate objects are validated against the mappers.
The context handle is now completely opaque, so you are free to store anything you need for pkcs11_helper there.
If you have time in the future, I would be happy to help you identify where the abstraction layer is. If we need to beef it up to make it easier for pkcs#11 helper, then I would be willing to update the NSS side for that.But the current state requires too much work... I regret to say, I don't have the time right now. I think that before the NSS additions, I could have cleaned up the code faster...
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
