gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]

[Stef Walter <stefw collabora co uk>]

Hi all!

I'm about to merge a lot of the trust assertion work I've been doing
into gnome-keyring master. I posted here earlier about some of it. One
of the later changes that I thought I'd highlight is about a config file.

So far we're using the PKCS#11 Registry Directory [1] concept for
looking up which PKCS#11 modules to load.

However we need some way to mark which modules and slots should be used
to lookup and store trust assertions. It's important not to use trust
assertions from random PKCS#11 slots, as that would allow trivial
'installation' of a root CA certificate.

So to do that we have a config file which consists of:

/etc/xdg/pkcs11.conf.defaults
/etc/xdg/pkcs11.conf

The second one is loaded after the first and overrides the first. These
are XDG desktop files (ie: used with the GKeyFile API). /etc/xdg is the
standard directory for system-wide desktop configuration.

Both libgcr (see trust-store branch) and soon glib (see the tls-database
branch) use these files to determine where to lookup  trust assertions [2].

These config files may be an interim solution until a community wide
standard emerges, or perhaps they will be come such a standard. Not sure
yet, and I think there's going to be more discussion on this at FOSDEM [3].

In the files we use PKCS#11 URIs [4] to identify which slots to use for
what. One problem is that there is no way to specify the module file
name in a PKCS#11 URI. This prevents us from an airtight identification
of the relevant PKCS#11 slot. I'll bring this up to the PKCS#11 URI authors.

Let me know soon if there are fundamental problems with the above
approach, which should be addressed before we release this in a stable
version.

Cheers,

Stef

[1] http://wiki.cacert.org/Pkcs11TaskForce

[2] http://people.collabora.co.uk/~stefw/trust-assertions.html

[3] http://www.opensc-project.org/opensc/wiki/FOSDEM2011

[4] http://tools.ietf.org/html/draft-pechanec-pkcs11uri-03