On Tue, 2016-06-21 at 08:49 +0100, David Woodhouse wrote: > On Tue, 2016-06-21 at 09:39 +0200, Nikos Mavrogiannopoulos wrote: > > > > On Mon, 2016-06-20 at 15:07 +0100, David Woodhouse wrote: > > > > > > On Mon, 2016-06-20 at 15:50 +0200, Lubomir Rintel wrote: > > > > > > > > > > > > > > > > Another problem is that the p11-kit-remote tool needs a module > > > > name; > > > > but the VPN daemon only knows the PKCS#11 URI. Would it make > > > > sense > > > > to > > > > extend the tool to do the resolution as well? [3] > > > > > > > > [3] https://github.com/NetworkManager/p11-kit/commit/254ae1a6.p > > > > atch > > > No. It should be using p11-kit-proxy.so (or loading the full set > > > of > > > modules as indicated by the p11-kit config). > > Why is that? Why not resolve the URL provided and remote only the > > required module? > I thought we were generally trying to move away from explicitly > loading > specific modules. If the correct set of modules is expected to be > loaded *automatically* by p11-kit config, then it shouldn't really be > *necessary* to provide it. > > I'm not quite sure how the above patch works, anyway. > > If I have a PKCS#11 URI of 'pkcs11:manufacturer=piv_II;id=%01' and it > doesn't have access to the card reader. Or if I have a URI of an > object > in my personal gnome-keyring token... how does it get resolved to a > module name?
I think this is what Lubomir is suggesting. He has a URL but doesn't necessarily have a module name. That's why he would like to use p11-kit remote with a URL instead of specifying a specific module. My understanding is that he would like to make process A: p11-kit remote 'pkcs11:mykey' and pass the "remote" file descriptors to process B. His problem (which his patches address) then in process B, as I understand it, is how to use these file descriptors as a proper PKCS#11 module. regards, Nikos _______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue
