Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make libykcs11.so a module and configure p11-kit to see it #176

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
3 participants
@opoplawski
Copy link

commented Nov 30, 2018

Unfortunately I worked on this before realizing that libykcs11 is an incomplete implementation. However, this all still remains the right thing to do. One should probably even drop the "lib" from the name of the module since it isn't meant to be linked to directly, but that would probably break too much. Much of this was cribbed from opensc.

@a-dma

This comment has been minimized.

Copy link
Member

commented Dec 10, 2018

Hey, thanks for the contribution.
I'm not an very familiar with p11-kit, but I see you've removed the .map file and manually exported all the functions. Is this what p11-kit expects? The usual way is to only export the two symbols that were in the .map file.

@mouse07410

This comment has been minimized.

Copy link

commented Dec 10, 2018

At least on MacOS this was not necessary. I have a lot of problems with libykcs11, but I haven't seen the one this PR is supposed to address. In my experience, p11-kit works with all the libraries I used (opensc-pkcs11.so, libykcs11.so, yubihsm_pkcs11.so, libsofthsm2.so) just fine, assuming that ~/.config/pkcs11/modules/ had the right stuff.

@opoplawski

This comment has been minimized.

Copy link
Author

commented Dec 11, 2018

Hey, thanks for the contribution.
I'm not an very familiar with p11-kit, but I see you've removed the .map file and manually exported all the functions. Is this what p11-kit expects? The usual way is to only export the two symbols that were in the .map file.

I'm honestly not sure what p11-kit expects here. I just copied the exports configuration from opensc and figured they new what they were doing. If things worked before with just those two symbols, that's probably all that is needed. I don't think they need to be versioned though as this is a defined interface.

@mouse07410

This comment has been minimized.

Copy link

commented Dec 11, 2018

I don't like this approach (it looks hacky to me), and am concerned that merging it would break what currently works. p11-kit does not need this, and works perfectly fine as is:

$ p11tool --list-token-urls
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=xxxxxxxx;token=[nobody's business]
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=xxxxxxxx;token=Botan%20PKCS%2311%20tests
pkcs11:model=YubiHSM;manufacturer=Yubico%20%28www.yubico.com%29;serial=xxxxxxxx;token=YubiHSM
pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV
$ ll ~/.config/pkcs11/modules
total 32
drwxr-xr-x  6 mouse  admin               192 Nov 26 17:22 ./
drwxr-xr-x  4 mouse  admin               128 Feb  1  2018 ../
-rw-r--r--  1 mouse  MITLL\Domain Users  107 Jun 12  2018 opensc.module
-rw-r--r--  1 mouse  MITLL\Domain Users  160 Jun 12  2018 softhsm2.module
-rw-r--r--  1 mouse  MITLL\Domain Users  396 Nov 26 17:22 yhsm2.module
-rw-r--r--  1 mouse  MITLL\Domain Users   39 Jun 12  2018 ykcs11.module
$ 

You do have the modules configured, right?

$ cat ~/.config/pkcs11/modules/ykcs11.module 
module: /usr/local/lib/libykcs11.dylib
$ cat ~/.config/pkcs11/modules/opensc.module 
module: /Library/OpenSC/lib/opensc-pkcs11.dylib
#module: /Library/OpenSC/lib/pkcs11-spy.dylib
critical: no
$ cat ~/.config/pkcs11/modules/yhsm2.module 
# PKCS#11 YubiHSM2 interface module v1.0.4
#module: /usr/local/lib/yubihsm_pkcs11.1.dylib
# PKCS#11 YubiHSM2 interface module v2.0.0
module: /usr/local/lib/yubihsm_pkcs11.2.dylib
# PKCS#11 interface module v0.2.0
#module: /usr/local/lib/yubihsm_pkcs11.0.2.0.dylib
# Debugging - trace all the PKCS#11 communications with the YubiHSM2 device
#module: /Library/OpenSC/lib/pkcs11-spy.so
critical: no
$
@opoplawski

This comment has been minimized.

Copy link
Author

commented Dec 11, 2018

Well, one of the main goals of the PR is to install the p11-kit module file automatically, at least on Linux.

@mouse07410

This comment has been minimized.

Copy link

commented Dec 11, 2018

one of the main goals of the PR is to install the p11-kit module file automatically

I'm not sure what you mean by "automatically". Configuration files I provided are needed, and it's far better to use them than hacking the source. If you look up p11-kit, you'll find that there are system-wide config files and directories - if you insist, you can install the relevant *.module files there.

Although I'm still at loss as to what you hope to get out of it (i.e., assuming p11-kit works perfectly to your satisfaction). This library IMHO is quite inferior to the one provided by OpenSC for everything related to use of Yubikey tokens. The only thing where this one might do better is key generation - which anybody sane would do via a tool like yubico-piv-tool anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.