[PATCH] Callback for PIN prompting per PKCS#11 URI

Stef Walter stefw at collabora.co.uk
Thu Jul 7 19:32:38 CEST 2011


Hi guys,

Currently in gnutls only one global callback for PIN prompting can be
registered. This causes problems with multiple libraries in the same
process using gnutls.

Attached is a patch which uses p11-kit to solve this problem in a
generic and flexible way [1].

p11-kit (0.2 and later) now allow registering of various callbacks for
different PKCS#11 URIs. It uses the 'pinfile' attribute of the URI to do
this. The PKCS#11 URI specification talks about applications specific
values 'pinfile' URI. These new p11-kit APIs do exactly that.

Usage example: I'm using this to implement support for smart cards in
GLib's new TLS code.

 * GLib registers a callback with p11-kit for the 'pinfile' value:
      gtls-database
 * It includes pinfile=gtls-database in the various PKCS#11 URIs it
   passes to gnutls.
 * gnutls sees that there's a 'pinfile' attribute, and asks p11-kit to
   request the PIN, which it does by calling the callback registered.

Incidentally, I think the name of 'pinfile' in the PKCS#11 URI spec
should be changed to 'pin' but that's a separate issue.

This patch is also available as a branch:

http://cgit.collabora.com/git/user/stefw/gnutls.git/log/?h=pinfile

Let me know if something looks amiss. This patch makes no ABI changes to
gnutls.

Cheers,

Stef

[1] http://p11-glue.freedesktop.org/doc/p11-kit/p11-kit-PIN-Callbacks.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pkcs11-Use-p11_kit_pin_xxx-functionality-when-pinfil.patch
Type: text/x-patch
Size: 17410 bytes
Desc: not available
URL: </pipermail/attachments/20110707/2fed4d6d/attachment.bin>


More information about the Gnutls-devel mailing list