Re: [Opensc-devel] C_Initialize

[Nikos M. <n.m...@gm...>]

On 02/18/2013 09:37 PM, Douglas E. Engert wrote:

> Your solution below might work, but I would like others
> to comment on your proposal as well.
> On a different point, your first note says:
> "This causes quite a problem in gnutls which has transparent smart card
> support and calls C_Initialize on startup."
> How transparent is this?


You may want to check the manual to get an idea about how that works:
http://www.gnutls.org/manual/html_node/Smart-cards-and-HSMs.html#Smart-cards-and-HSMs

> How does gnutls find a PKCS#11 implementation?


We use p11-kit and additionally a configuration file.

> Wll gnutls try and load any and all PKCS#11 modules it finds?


depending on p11-kit configuration.

> Can it load more then one PKCS#11 module?


yes.


> I ask this as just loading another PKCS#11 may include
> loading more libraries, placing more of a dependency on
> all these libraries loading correctly even when they are
> not used.


So far they load correctly. We have this support quite some time. The
main issue we have is the initialization delay due to opensc (and
sometimes other modules as well).

> The OpenSC PKCS#11 will include OpenSSL for example.


I don't like that, but I don't always get what I like. Nevertheless,
this is dynamic loading so I'm not really concerned.

> OpenSC will try and use pcscd as well.
> I am asking this as adding "transparent smart card support"
> may not be as transparent as you think.


I don't understand what you mean here.

> I see in:
> http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
> is using /etc/pkcs11/modules a system wide file?


Yes. This is the p11-kit configuration file.

p11-kit: http://p11-glue.freedesktop.org/p11-kit.html

regards,
Nikos