Stef <stef memberwebs com> writes: > David Smith wrote: >> For implementing PKCS#11 support in the network manager gnome applet >> using gnome keyring as the backing store, it's necessary to tell >> wpasupplicant the environment variable of GNOME_KEYRING_SOCKET before >> loading the gnome keyring PKCS#11 library. This socket will be protected >> to the local user, but since wpasupplicant must run as root, it should >> be able to access it and indeed it must. > > Not sure how we plan to address this. gnome-keyring doesn't currently > support access by root to its sockets. Hmm, then this is a critical problem. >> Attached is a patch to add a DBus interface to set environment variables >> in wpasupplicant. I hope this is an acceptable compromise. In the long >> term, a better interface from keyring might be made available and then >> any necessary changes to wpasupplicant could be made at that time, but >> for now this is a rather trivial addition that would primarily be useful >> for working with the current implementation. > > Well, I'm not sure you have to add a DBus API to wpasupplicant. > > gnome-keyring-daemon has a small DBus API for exactly that purpose. To > allow applications started by the DBus session (but without the > environment variables) to retrieve the appropriate the socket path. > libgnome-keyring uses this when the environment variable is not available. > > string org.gnome.keyring.Dameon.GetSocketPath() > > at /org/gnome/keyring/daemon > > See: > > http://svn.gnome.org/viewvc/gnome-keyring/trunk/daemon/gkr-daemon-dbus.c?revision=888&view=markup&pathrev=1189 > http://svn.gnome.org/viewvc/gnome-keyring/trunk/library/gnome-keyring-private.h?revision=879&view=markup&pathrev=1169 > http://svn.gnome.org/viewvc/gnome-keyring/trunk/library/gnome-keyring.c?revision=1120&view=markup&pathrev=1169 > > Another approach might be similar to what the NSS PKCS#11 components use. > > In order to initialize the NSS softkn3 PKCS#11 component you pass in an > argument string into the pReserved member of the > CK_C_INITIALIZE_ARGS_PTR structure passed to C_Initialize. In the case > of the gnome-keyring PKCS#11 module we could make that be the socket path. > OK, thanks for this info. Downside is that implementing will take forever because wpasupplicant doesn't have any way to send additional arguments to C_Initialize, since it uses the OpenSSL PKCS#11 engine which underneath uses libp11 which always sends NULL to C_Initialize. Even if I fixed libp11, OpenSSL PKCS#11 engine, and wpasupplicant to provide an interface to specifying CK_C_INITfIALIZE_ARGS, I'd have to make similar modifications in other supplicants like strongswan, effectively just so we can have keyring's proprietary arguments passed along. So, I'm not very enticed by this proposal. I think using something outside of the cryptoki API is a better way to pass along this info, like the environment variable or better DBus APIs. - dds
Attachment:
pgpCod6G0OFXP.pgp
Description: PGP signature