On Tue, 2016-06-21 at 10:43 +0100, David Woodhouse wrote: > On Mon, 2016-06-20 at 15:50 +0200, Lubomir Rintel wrote: > > > > > > We're able to spawn a remoting agent in the user session and pass > > the > > open file descriptor to the daemons, but there doesn't seem to be a > > way > > to make the p11-kit or p11-kit-proxy users use that file handle. > > I've > > got it working by passing the file descriptor number via an > > environment > > variable [1] [2]; but perhaps there's a better way? > > > > [1] https://github.com/NetworkManager/p11-kit/commit/e92db917.patch > > [2] https://github.com/NetworkManager/p11-kit/commit/fcb5a24.patch > Hm, at first glance I was going to suggest that it might be nicer to > avoid the config and environment bits, and just add a new function > p11_kit_load_remote_module_by_fd(). > > I'm not entirely sure how we make that work overall though, if you're > only really using GnuTLS and not otherwise talking directly to > p11-kit. And if you're using p11-kit-proxy.so through NSS or > OpenSSL's > engine_pkcs11 then you're another step removed from p11-kit.
What if there is a pkcs11 module called p11-kit-remote.so which all it does it use the open fds (e.g., taken from env) if available and operate as the proxied module. In that case the process which receives the fds could override the global p11-kit config and set p11-kit-remote as the only supported module (that may not be currently possible). If that was possible wouldn't that work with either p11-kit-proxy or p11-kit direct (gnutls)? regards, Nikos _______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue
