Bug 51949

Summary: Create daemon for running pkcs#11 modules in a shared mode
Product: p11-glue Reporter: Stef Walter <stefw>
Component: p11-kitAssignee: Stef Walter <stefw>
Status: NEW --- QA Contact:
Severity: normal    
Priority: medium CC: guillaume.desmottes, n.mavrogiannopoulos, redhat
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on: 54105    
Bug Blocks:    

Description Stef Walter 2012-07-10 14:22:53 UTC 
A daemon for running pkcs#11 modules in a shared mode.

The login state should be shared, but sessions and session objects should not be shared between clients of these modules.

It may be that this daemon runs in the gnome-keyring-daemon process as an optimization. But it doesn't have to be that way.
Comment 1 Stef Walter 2012-07-10 14:23:13 UTC 
There's more progress on this than the bug belies. Hopefully I'll have my WIP branch in order soon.
Comment 2 Stef Walter 2012-08-27 08:50:56 UTC 
Some notes on this:

 * Add a setting to p11-kit module configs which make a module automatically
   load in shared mode in the daemon instead of in-process. Maybe something like
   this in the module config:

   remote: session-daemon

 * The daemon would be autostarted if not already running. Taking cues from
   how gpg2 starts gpg-agent. This would be started if any modules are 
   'session-daemon' see above.

To do the above we would create a p11-kit-daemon binary.

Although not strictly related to the daemon, I'd also like to support exec'ing a process and talking PKCS#11 RPC to it on stdio. We could install a 'p11-kit-remote' executable for this, which talks PKCS#11 RPC on stdio, and loads a specific module.

This has two use cases:

 * Running a PKCS#11 module in another process, for security reasons. That
   process could be locked down via SELinux and so on. Maybe with a config line
   like this:

   remote: separate-process

 * Running a PKCS#11 module on another machine, similar to what pkcs11_proxy
   does. You would add a line like this to the module config:

   remote: ssh hostname.example.com /usr/libexec/p11-kit-remote my-module-name

All of the above would only work on Unix, and not be compiled for win32.
Comment 3 Petr Špaček 2014-10-15 11:07:18 UTC 
Maybe it will be interesting for you that FreeIPA&SSSD projects plan to implement something like this...

Contact freeipa-devel@redhat.com if you want to know more details.

Have a nice day!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.