Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
On 08/04/2011 06:57 PM, Alon Bar-Lev wrote: Hello, In gnutls we dropped our own PKCS #11 back-end based on pakchois for p11-kit. I try to contribute to the discussion based on this experience. > pkcs11-helper targets developers who like to introduce PKCS#11 into > their application, especially for smartcard. It allows to minimize > the user interaction and maximize the object reuse. While using the > minimum set of the specification in order to allow application > compatibility with most implementation. p11-kit designed to solve > incompatibilities of modules and inappropriate implementation of > application that use PKCS#11 by providing a baseline of the PKCS#11 > spec module implementation that may proxy on or more providers. This does look like making them mutually exclusive. Would be good if a library satisfied both goals. >> * Coordinating initialization and finalizing. > You referencing a bad implemented application that is use PKCS#11 in > two independent places. A practical solution is to fix the library > implementation (such as GnuTLS) to provide some state information. How do you know that one library is in use? How can you avoid an application being linked to both p11-kit and pkcs11-helper? My experience from gnutls is that you cannot really track indirect dependencies, and you end-up having applications linked against gnutls and openssl. If both had to access a PKCS #11 token there would be a problem. >> * A standard place to put configuration of which modules to load >> and how to load them. > A PKCS#11 aware application should be expose to this information and > not let some library to hide these. I also don't like libraries like > NSS that have dependencies out side of the runtime environment the > application is creating for them. >> * Allowing pkcs11-helper to load modules from a standard location. >> Does pkcs11-helper have a concept of a module registry? If not, >> this could be a nice addition provided by p11-kit. > Same as above. I don't like these registries within a library (API). > A proxy module may have its own configuration which is fine. You can have both. Both an application interface where each application selects the modules and a system wide registry to set the system wide available libraries. This is how gnutls is using p11-kit currently. regards, Nikos PS .But for me the main user-visible contribution of p11-kit is the usage of pkcs11 urls, which prevents having applications referencing the same objects by different identifiers. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] ikey3000 opensc- woes
Greetings, I am new to this lit. I bought a bumdle of 5 rainbow ikey3000 tokens some 5 years ago for a project. The project with the tokens got mothballed. I now want to use the tokens for a new poject. I gleaned from the internet that the card has now been updated but I also saw articles with it working on ubuntu linux with modern versions of opensc/openct. My current setup has these:- os - linux kernel2.6.37, distribution: cblfs-linux 32-bit Intel opense-0.11.11 openct-0.6.18 openct-0.6.18 appears to work OK but opensc-0.11.11 does not find the ikey3000 token. For instance 'openct-control status' at command prompt returns the card details like so #--- #openct-control status No. Name Info === 0 Rainbow iKey 3000slot0: card present #--- but 'opensc-tool -n' returns " No smart cards found" I would be grateful for some help/guidance on what I am doing incorrectly and how to get the the ikey-3000 working with the setup I have. thanks in advance. sibu xolo ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
On 2011-08-04 18:58, Alon Bar-Lev wrote: >> So if p11-kit solves this multiple-access issue, this would great. >> > This is core issue of OpenSC and should be solved within the core of OpenSC. > Aka - stateless card access. Another solution is to use key-containers that for standard cryptographic operations are stateless such as SKS. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
2011/8/4 Jean-Michel Pouré - GOOZE : > Le lundi 01 août 2011 à 14:11 +0200, Stef Walter a écrit : >> * Initializing modules via p11-kit so that refcounting, and >> pInitArgs stuff works if more than one app/library in the >> same process uses a PKCS#11 module. >> >> * Safe forking (pkcs11-helper already does this, but p11-kit >> forking stuff integrates with the initialization refcounting). > > IMHO, the biggest stopper in the spread of OpenSC is the inability to > handle several sessions on a smartcard reliably. I mean without special > development in the application client side. > > So if p11-kit solves this multiple-access issue, this would great. > > Do you think p11-kit would solve the issues for: > * OpenVPN > * Iceweasel / Firefox This is core issue of OpenSC and should be solved within the core of OpenSC. Aka - stateless card access. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
Hello Stef, I think that each project is targeting a different set of problems. I am fully opened for discussion, but this is how I see things: pkcs11-helper targets developers who like to introduce PKCS#11 into their application, especially for smartcard. It allows to minimize the user interaction and maximize the object reuse. While using the minimum set of the specification in order to allow application compatibility with most implementation. p11-kit designed to solve incompatibilities of modules and inappropriate implementation of application that use PKCS#11 by providing a baseline of the PKCS#11 spec module implementation that may proxy on or more providers. BTW: we should also outline the difference between p11-kit and NSS. Let's take your example and see where these fit: > * Coordinating initialization and finalizing. You referencing a bad implemented application that is use PKCS#11 in two independent places. A practical solution is to fix the library implementation (such as GnuTLS) to provide some state information. However, a proxy baseline provider with reference count and such may indeed solve this issue. > * A standard place to put configuration of which modules to load > and how to load them. A PKCS#11 aware application should be expose to this information and not let some library to hide these. I also don't like libraries like NSS that have dependencies out side of the runtime environment the application is creating for them. > * Allowing pkcs11-helper to load modules from a standard > location. Does pkcs11-helper have a concept of a module > registry? If not, this could be a nice addition provided > by p11-kit. Same as above. I don't like these registries within a library (API). A proxy module may have its own configuration which is fine. > * Initializing modules via p11-kit so that refcounting, and > pInitArgs stuff works if more than one app/library in the > same process uses a PKCS#11 module. I written above, a different (applicative) solution should be applied. > * Safe forking (pkcs11-helper already does this, but p11-kit > forking stuff integrates with the initialization refcounting). Yes, much of the work in pkcs11-helper was safe forking, in order to abstract the [complex] process from the developers. What do you think? Alon. On Mon, Aug 1, 2011 at 8:11 AM, Stef Walter wrote: > > Hi Alon, > > Thanks for all the PKCS#11 integration work you've spearheaded across > the community. > > You may have heard of p11-kit before. It tries to solve several problems > with using PKCS#11 modules across the Desktop. In particular when > multiple applications or libraries want to use the same PKCS#11 modules. > Most importantly: > > * Coordinating initialization and finalizing. > * A standard place to put configuration of which modules to load > and how to load them. > > More documentation here: http://p11-glue.freedesktop.org/p11-kit.html > > p11-kit can be used as a PKCS#11 module, and as such will integrate out > of the box into anything that supports PKCS#11. So pkcs11-helper can > already use p11-kit. > > I'm interested in integrating p11-kit more closely into pkcs11-helper. > But I figured I'd talk with you before hacking. Some areas where > integration could take place: > > * Allowing pkcs11-helper to load modules from a standard > location. Does pkcs11-helper have a concept of a module > registry? If not, this could be a nice addition provided > by p11-kit. > > * Initializing modules via p11-kit so that refcounting, and > pInitArgs stuff works if more than one app/library in the > same process uses a PKCS#11 module. > > * Safe forking (pkcs11-helper already does this, but p11-kit > forking stuff integrates with the initialization refcounting). > > Perhaps more? How do this sound? > > Cheers, > > Stef ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
Le lundi 01 août 2011 à 14:11 +0200, Stef Walter a écrit : > * Initializing modules via p11-kit so that refcounting, and >pInitArgs stuff works if more than one app/library in the >same process uses a PKCS#11 module. > > * Safe forking (pkcs11-helper already does this, but p11-kit >forking stuff integrates with the initialization refcounting). IMHO, the biggest stopper in the spread of OpenSC is the inability to handle several sessions on a smartcard reliably. I mean without special development in the application client side. So if p11-kit solves this multiple-access issue, this would great. Do you think p11-kit would solve the issues for: * OpenVPN * Iceweasel / Firefox Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pkcs15-tool Windows 7 error message
Hello, On Aug 3, 2011, at 11:01 AM, Johannes Becker wrote: > Hello, > > with Windows 7 (64 bit) and opensc 0.12.2 the command > > pkcs15-tool --reader 0 --read-public-key 45 > > gives the right result but afterwards a message from the > Windows system pops up: > "pkcs15-tool funktioniert nicht mehr" > (That translates to "pkcs15-tool doesn't work any more") > > This is no real problem but annoying to the users. > I switched back to good old Smart Card Bundle for the moment. > Is it possible that you can debug it? Sounds like something similar to [1] [1] http://www.opensc-project.org/opensc/changeset/007d27feebe4a09ce9e02c501cefc8d83daa6e79/OpenSC -- @MartinPaljak.net +3725156495 smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel