On Tue, 2016-06-21 at 11:59 +0200, Nikos Mavrogiannopoulos wrote: > > What if there is a pkcs11 module called p11-kit-remote.so which all it > does it use the open fds (e.g., taken from env) if available and > operate as the proxied module.
That's basically built in to p11-kit right now. It's not a separate PKCS#11 module but I suppose it *could* be. Or p11-kit-proxy, loading an appropriate p11-kit config, would basically have the same effect using the built-in code. > In that case the process which receives the fds could override the > global p11-kit config and set p11-kit-remote as the only supported > module (that may not be currently possible). If that was possible > wouldn't that work with either p11-kit-proxy or p11-kit direct > (gnutls)? Perhaps a global function to "set the p11-kit config for this process", called before any other p11-kit functions are invoked to load modules, might work. Or maybe it could be an environment variable. Using it to set a config that happens to contain only a single 'remote' module would just be *one* of the ways it could be used. Note that you probably do want the trust modules to still be available, And we haven't explicitly talked about the case where client certs are actually installed as *root* (since that's the only way it worked before). Our corporate wifi/802.1x auth requires certs which we install in /etc/pki and point NM at them there. And once we finally fix up automatic renewal, they'll be renewed using the AD *machine* account credentials; the user will never see them at all. Admittedly those are in a file right now and not PKCS#11, but let's bear in mind that we do also need to support the non-proxied case. (Or maybe that just becomes 'proxied to something running as root')? -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue