[gnutls-help] Multi-tenancy and PKCS #11

Rick van Rein rick at openfortress.nl
Wed Jul 19 21:15:04 CEST 2017


> You may want to check gnutls_pkcs11_privkey_t handling. Only the
> shared module should be global on its handling. Everything else is
> local to the object.

That's helpful.

1. Modules are in the globals providers / #active_providers in pkcs11.c
2. A global _gnutls_pin_func is set from gnutls_pkcs11_set_pin_function(),
   or a per-privkey pin_info is set from gnutls_pkcs11_privkey_set_pin_function()

In short, limiting visibility of modules to clients remains one concern
(mostly one of privacy) but the major concern (of security) through
visibility of the PIN between clients can probably be achieved already.

Good, now I know where and how to scratch my head over this design issue.


More information about the Gnutls-help mailing list