From: Douglas E E. <dee...@gm...> - 2015-04-29 16:06:30
|
With this change cause problems in systems where libpkcs11.so already exist in the standard load path? For example Oracle Solaris. /usr/lib/64/libpkcs11.so.1 http://docs.oracle.com/cd/E19120-01/open.solaris/819-2145/chapter1-1/index.html I would assume libpkcs11.so would implement a PKCS#11 module, not an engine for OpenSSL. Will this only work because its in the engine directory and thus only work when using OpenSSL? On 4/29/2015 8:55 AM, David Woodhouse wrote: > I've just fixed the Fedora packages (for F22+) so that this kind of > command line will Just Work with RFC7512 PKCS#11 URIs: > > $ openssl req -new -keyform engine -engine pkcs11 -key "pkcs11:manufacturer=piv_II;id=%01" The OpenSC engine_pkcs11.so can load any PKCS#11 module, not just the OpenSC version. It could even load the Solaris. /usr/lib/64/libpkcs11.so.1 > > Ideally, all of that '-engine pkcs11 -keyform engine' will eventually > go away. When you provide a -key argument that starts with 'pkcs11:' > it should *infer* that, like GnuTLS and other things do (including > OpenConnect when built against OpenSSL+libp11). That sounds like the equivalent of having the engine code is built in. What do you mean by eventually. Are you saying when OpenSSL supports calling a PKCS#11 module, without using an engine? Do you still need an openssl.cnf with something like: [engine_section] pkcs11 = pkcs11_section [pkcs11_section] dynamic_path = /some/path/ssl/engine/libpkcs11.so [...] > > But in the meantime, we can settle for this because at least it's a > massive improvement over what we had before. It may work, but just does not sound right to me at this time. Processes like login that use PAM can drag in packages like LDAP, Kerberos and NSS, some of which also support smart card login via pkcs#11 too. > > For now I'm just manually creating a symlink from libpkcs11.so to > engine_pkcs11.so in the Fedora package to make '-engine pkcs11' work > in the above. > > I'm not quite sure what is the best way to do that upstream. If we do > actually rename, the old baroque way of doing things will stop > working. Although it's only a minor tweak. > > Or perhaps we could make the symlink in the engine_pkcs11 makefiles... > except that seems hard since libtool makes the .so file and we don't > even know what the extension (.so) is. > Anyone else feel a little uneasy with this? > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |