> I don't see a need to support '''two''' different interfaces:
> lib11 and direct PKCS!#11. I think it is too much effort.
Perhaps you're right. The only reason to use libp11 is to
get a cleaner API. But I've been reported on several sites
using pam_pkcs11 at production level and they want to keep
direct pkcs11 access....
Anyway, src/common/pkcs11.c is a sort of mini-libp11....
The only practical solution to my proposal migth be to include
libp11 into sources, and compile and link statically if
no libp11.so found....
You're right: sounds a bit dirty and a lot stupid :-).
So I'll drop libp11 support and work in other tasks needed:
- Define several levels of certificate checking:
none, ca, crl, signature (ticket #6)
- Dont ask for PIN, if no valid certificate found (ticket #7)
- Move common pkcs11 code from pklogin_finder pkcs11_inspect and
pam_pkcs11 to src/common/pkcs11.c, to get it cleaner
- Pkcs11 rsa headers should reside in a separate directory, as
they have different license.
- Add pam_sm_password routines to allow change pin via pam stack