[gnutls-help] Multi-tenancy and PKCS #11

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Jul 19 17:10:11 CEST 2017

On Wed, Jul 19, 2017 at 11:12 AM, Rick van Rein <rick at openfortress.nl> wrote:
> Hi,
>>> One thing that may be blocking it, is the fact that GnuTLS has a global
>>> setup for PKCS #11, including the available tokens and their PINs.  Is
>>> that correct, or is there a way to get around this?
>> Could you describe the ideal situation of handling smart cards for the
>> use case above?
> The design alternative that I'm exploring is one in which the TLS Pool is
> a networked component, serving to multiple daemons, and/or where each
> daemon can run on behalf of various domain names.  Ideally, the credentials
> of each domain name would be kept separate in the TLS Pool, rather than
> trusting the daemon to do the right thing.  The daemon is closer to the
> protocols and parsers of the application, after all, and the whole idea of
> the TLS Pool is keeping application logic and security logic separated.
>> The situation in gnutls is that pkcs11 shared modules
>> are loaded globally, pins etc are cached/used per private key,
>> operation.
> The PINs may be the solution then.  You didn't write down the precise
> logic, right?  Well you did, of course, in the code :) so maybe I should
> take a look there.  I had assumed PINs were strictly delegated to p11-kit.

You may want to check gnutls_pkcs11_privkey_t handling. Only the
shared module should be global on its handling. Everything else is
local to the object.


More information about the Gnutls-help mailing list