-
Notifications
You must be signed in to change notification settings - Fork 37
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added "--with-pkcs11-module" configure option
- Loading branch information
Showing
2 changed files
with
19 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that the change is not equivalent. The p11-kit proxy module is not just a default module. It is a system wide module that wraps all the available in the system PKCS#11 modules. With the new option the p11-kit module is not used even if available. A user would have to know about it.
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I certainly hope so. The previous code attempted to create an unnecessary direct dependency on p11-kit, whereas the new code simply requests libp11 to load the p11-kit-proxy module.
I fail to understand the contradiction in your statement. p11-kit-proxy is both "just a default module" and "a system wide module that wraps all the available in the system PKCS#11 modules". For libp11 and engine_pkcs11 p11-kit-proxy is just a PKCS#11 module. Neither libp11 nor engine_pkcs11 directly invoke any functionality specific to p11-kit.
Why do you think it is not used? Have you tested it? Could you share the results of your tests?
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The long term goal for the engine was to rely only on p11-kit (without libp11) for safety and pkcs11 module discovery. May not make much sense though as currently it would require a rewrite of the engine.
That was a mistake of mine. I only checked the code and didn't realize that you kept using p11-kit by default.
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed. The rewrite would require duplicating most (>80%) of the libp11 functionality into engine_pkcs11. I'm not sure what you mean by "safety", but neither libp11 nor engine_pkcs11 do any PKCS#11 module discovery: this feature already solely relies on p11-kit.
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The sharing issue with PKCS#11 is that you cannot share a module in a process with multiple consumers (e.g., engine_pkcs11 through a library dependency and direct usage of PKCS#11).
http://p11-glue.freedesktop.org/doc/p11-kit/sharing.html#sharing-problem
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. This was a very useful read.
Technically, we could replace the libp11 (not engine_pkcs11, because engine_pkcs11 only invokes PKCS#11 via libp11) code for loading PKCS#11 modules with p11-kit API (http://cgit.freedesktop.org/p11-glue/p11-kit/tree/p11-kit/p11-kit.h). p11-kit would basically replace the functionality currently implemented in the src/libpkcs11.c file (4% of the libp11 code) with its own, significantly more advanced implementation.
On the other hand, there are important drawbacks of this approach:
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're going to have a discussion along those lines, what I would actually like to do is kill libp11 and engine_pkcs11 completely. OpenSSL should support PKCS#11 as a first-class citizen. The APIs which currently take filenames for certificates and keys should accept PKCS#11 URIs seamlessly in place of those filenames.
One potential way that might be achieved is perhaps:
The relicensing might be a pain point; it might end up being better to reimplement, or to re-use code from something with a more appropriate licence like Alon's pkcs11-helper. But I really want to see OpenSSL supporting PKCS#11 natively so that it isn't a bolt-on extra that all applications forget to support.
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the questions are:
I expect problems with (1) and (4). The technical stuff seems to be quite simple compared to getting all the approvals.
@dwmw2: In case you decide to implement your proposal: I hereby agree to relicense my contributions to engine_pkcs11 and libp11 to the OpenSSL license.
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well how useful is libp11 as a generic library? I'd simply consider it as an internal part of engine_pkcs11. If engine_pkcs11 is used with openssl there is no reason to use libp11.
gnutls uses p11-kit and that works in windows as well. Granted p11-kit's configuration in windows is manual (there is no automatic discovery of modules there), but it works.
That could be true, but p11-kit is quite small comparing to openssl overall. Embedded systems are tricky, and whatever you do you may not please them. If space is an issue they would most likely skip libp11 and engine_pkcs11 completely and use plain PKCS#11 calls.
There are few disadvantages of the proxy module; it bundles all the available modules in the system as one, and places them into different slots. It also requires real-time function generation which doesn't work well with some selinux environments.
I am for it, and we should plan for that, but should keep that as an ultimate goal. engine_pkcs11 has to be transformed step by step, so that it can be added in openssl, and then propose to include it, and then enable it transparently.
0d0436e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ubuntu 15.10 (via
apt-rdepends -r libp11-2
) indicates libp11 is also used by:I guess there are also other products, not packaged in Ubuntu.
How does it affect engine_pkcs11?
How critical is this issue?