Sorry for taking so long to answer, was away for a week... On 06/15/2011 11:28 PM, Nikos Mavrogiannopoulos wrote: > On 06/13/2011 11:11 AM, Stef Walter wrote: >> Since the PKCS#11 URI's say that the pinfile attribute of the URI >> can be determined by the application, we can build something simple >> in p11-kit and register callbacks so that one component (in the same >> process) can provide the pin for another (like gnutls). > > I didn't like the pinfile attribute of pkcs11-urls much, because its > semantics are undefined. I see it as an option that could cause > compatibility issues between libraries using URLs. That's why I have > ignored it so far.
Yes, I understand that the pinfile attribute is really ambiguous. Until recently I saw it as an oddity and confusing. However I think we can turn the ambiguity of the pinfile attribute to an advantage (although I'm going to see if we can rename it to 'pin' on s...@ietf.org). I've created an API in p11-kit which allows registering of callbacks to handle specific (or any) pinfile. This allows a UI (whether CLI or GUI) to register a pin callback. Then gnutls (or other libraries) can detect the presence of a pinfile attribute and use p11-kit to check if anyone has registered a callback for that pinfile. Using the above scheme we could implement some stock callbacks which could: * Execute an application (as hinted in the spec) * Read from a file (although I can't imagine this to be very useful) These stock callbacks would obviously not be registered by default. My use case is: I'd like to be able to register a callback from within glib for a given URI, and then have it called by gnutls. The API is here (subject to some fine tuning): http://cgit.collabora.com/git/user/stefw/p11-kit.git/tree/p11-kit/pin.h?h=pinfile > Are there other alternatives to solve the issue at hand? I've tried threading context specific callbacks throughout gnutls, and it was a very tedious and messy exercise. I have an incomplete patch somewhere if you're interested. This concept of registering a callback for the pinfile attribute gives us a nice granularity for prompting for PINs. But I'm open to other workable ideas. Cheers, Stef _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
