Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]

From: Stef Walter <stefw collabora co uk>
To: Nikos Mavrogiannopoulos <nmav gnutls org>
Cc: Dan Winship <danw gnome org>, "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
Subject: Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
Date: Sun, 16 Jan 2011 14:11:22 -0800

On 01/12/2011 07:38 AM, Nikos Mavrogiannopoulos wrote:
> What kind of information do you store there? For gnutls what
> we need there is a list of libraries to load to access objects,
> and optionally a library that (might) provide faster crypto
> operations.

Currently we're just storing the PKCS#11 URIs for where trust assertion
objects should be looked up and/or stored.

> We need the former because loading all libraries from /usr/lib/pkcs11
> from [2] is not practical. At least in my system there are some debugging
> libraries that print funny messages to the stderr, and similar libraries
> that provide the same objects (e.g. libopensc and libopensc-one or something
> like that). Thus we need a config file that will specify the exact libraries
> for applications to use in order to access objects.

That makes sense. It of course begs the question whether unusable
libraries should be installed in /usr/lib/pkcs11, but that's an aside.

In any case, we also need a configuration file which specifies the
libraries if we want to support user configuration of pkcs11 modules
(like NSS does).

For the library listing, I would suggest something like the following,
in desktop entry format:

[name]
library=/path/to/pkcs11-module.so
enabled=TRUE

And there would be multiple files that could contain these 'groups'. For
example:

/etc/pkcs11/pkcs11.defaults
/etc/pkcs11/pkcs11.conf
~/.pkcs11/pkcs11.conf

The above would be read in order, with latter groups of the same being
loaded on top of earlier ones. This would allow (for example) the user
to disable a module provided by the system.

There would probably need to be a switch to turn off/on the loading of
the user config file, for lockdown or reasons.

At this point we would have a system similar to the XDG basedir spec
[1], but the big difference is the environment variable usage. But for
lockdown to work, we couldn't really do the environment variable stuff.

What do you think?

Stef

[1] http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

Follow-Ups:
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Nikos Mavrogiannopoulos

References:
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Stef Walter
- Re: gnome-keyring PKCS#11 config file /etc/xdg/pkcs11.conf[.defaults]
  - From: Nikos Mavrogiannopoulos

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]