Re: pam_pkcs11 and libp11

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: pam_pkcs11 and libp11

Jonsy (teleline)
> I don't see a need to support '''two''' different interfaces:
> lib11 and direct PKCS!#11. I think it is too much effort.

Perhaps you're right. The only reason to use libp11 is to
get a cleaner API. But I've been reported on several sites
using pam_pkcs11 at production level and they want to keep
direct pkcs11 access....

Anyway, src/common/pkcs11.c is a sort of mini-libp11....

The only practical solution to my proposal migth be to include
libp11 into sources, and compile and link statically if
no found....

You're right: sounds a bit dirty and a lot stupid :-).

So I'll drop libp11 support and work in other tasks needed:

- Define several levels of certificate checking:
none, ca, crl, signature (ticket #6)
- Dont ask for PIN, if no valid certificate found (ticket #7)
- Move common pkcs11 code from pklogin_finder pkcs11_inspect and
pam_pkcs11 to src/common/pkcs11.c, to get it cleaner
- Pkcs11 rsa headers should reside in a separate directory, as
they have different license.
- Add pam_sm_password routines to allow change pin via pam stack


Juan Antonio

opensc-devel mailing list
[hidden email]

signature.asc (196 bytes) Download Attachment