Re: setEnvironmentVariable DBus method for wpasupplicant

Stef <stef memberwebs com> writes:

> David Smith wrote:
>> For implementing PKCS#11 support in the network manager gnome applet
>> using gnome keyring as the backing store, it's necessary to tell
>> wpasupplicant the environment variable of GNOME_KEYRING_SOCKET before
>> loading the gnome keyring PKCS#11 library. This socket will be protected
>> to the local user, but since wpasupplicant must run as root, it should
>> be able to access it and indeed it must.
> Not sure how we plan to address this. gnome-keyring doesn't currently
> support access by root to its sockets.

Hmm, then this is a critical problem.

>> Attached is a patch to add a DBus interface to set environment variables
>> in wpasupplicant. I hope this is an acceptable compromise. In the long
>> term, a better interface from keyring might be made available and then
>> any necessary changes to wpasupplicant could be made at that time, but
>> for now this is a rather trivial addition that would primarily be useful
>> for working with the current implementation.
> Well, I'm not sure you have to add a DBus API to wpasupplicant.
> gnome-keyring-daemon has a small DBus API for exactly that purpose. To
> allow applications started by the DBus session (but without the
> environment variables) to retrieve the appropriate the socket path.
> libgnome-keyring uses this when the environment variable is not available.
> string org.gnome.keyring.Dameon.GetSocketPath()
> at /org/gnome/keyring/daemon
> See:
> Another approach might be similar to what the NSS PKCS#11 components use.
> In order to initialize the NSS softkn3 PKCS#11 component you pass in an
> argument string into the pReserved member of the
> CK_C_INITIALIZE_ARGS_PTR structure passed to C_Initialize. In the case
> of the gnome-keyring PKCS#11 module we could make that be the socket path.

OK, thanks for this info. Downside is that implementing will take
forever because wpasupplicant doesn't have any way to send additional
arguments to C_Initialize, since it uses the OpenSSL PKCS#11 engine
which underneath uses libp11 which always sends NULL to
C_Initialize. Even if I fixed libp11, OpenSSL PKCS#11 engine, and
wpasupplicant to provide an interface to specifying
CK_C_INITfIALIZE_ARGS, I'd have to make similar modifications in other
supplicants like strongswan, effectively just so we can have keyring's
proprietary arguments passed along. So, I'm not very enticed by this
proposal. I think using something outside of the cryptoki API is a
better way to pass along this info, like the environment variable or
better DBus APIs.

- dds

Attachment: pgpCod6G0OFXP.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]