Bug 51949 - Create daemon for running pkcs#11 modules in a shared mode
Summary: Create daemon for running pkcs#11 modules in a shared mode
Status: NEW
Alias: None
Product: p11-glue
Classification: Unclassified
Component: p11-kit (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Stef Walter
QA Contact:
Depends on: 54105
  Show dependency treegraph
Reported: 2012-07-10 14:22 UTC by Stef Walter
Modified: 2014-10-15 11:07 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Description Stef Walter 2012-07-10 14:22:53 UTC
A daemon for running pkcs#11 modules in a shared mode.

The login state should be shared, but sessions and session objects should not be shared between clients of these modules.

It may be that this daemon runs in the gnome-keyring-daemon process as an optimization. But it doesn't have to be that way.
Comment 1 Stef Walter 2012-07-10 14:23:13 UTC
There's more progress on this than the bug belies. Hopefully I'll have my WIP branch in order soon.
Comment 2 Stef Walter 2012-08-27 08:50:56 UTC
Some notes on this:

 * Add a setting to p11-kit module configs which make a module automatically
   load in shared mode in the daemon instead of in-process. Maybe something like
   this in the module config:

   remote: session-daemon

 * The daemon would be autostarted if not already running. Taking cues from
   how gpg2 starts gpg-agent. This would be started if any modules are 
   'session-daemon' see above.

To do the above we would create a p11-kit-daemon binary.

Although not strictly related to the daemon, I'd also like to support exec'ing a process and talking PKCS#11 RPC to it on stdio. We could install a 'p11-kit-remote' executable for this, which talks PKCS#11 RPC on stdio, and loads a specific module.

This has two use cases:

 * Running a PKCS#11 module in another process, for security reasons. That
   process could be locked down via SELinux and so on. Maybe with a config line
   like this:

   remote: separate-process

 * Running a PKCS#11 module on another machine, similar to what pkcs11_proxy
   does. You would add a line like this to the module config:

   remote: ssh hostname.example.com /usr/libexec/p11-kit-remote my-module-name

All of the above would only work on Unix, and not be compiled for win32.
Comment 3 Petr Špaček 2014-10-15 11:07:18 UTC
Maybe it will be interesting for you that FreeIPA&SSSD projects plan to implement something like this...

Contact freeipa-devel@redhat.com if you want to know more details.

Have a nice day!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.