Fwd: LP#929108 support reading PIN from file when using PKCS#11 devices

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Apr 16 18:28:34 CEST 2012

On 04/16/2012 06:02 PM, Stef Walter wrote:

> On 2012-04-15 20:42, Nikos Mavrogiannopoulos wrote:
>> Hello Stef,
>>  I see the patch and I think it is based on a misunderstanding of what
>> pinfile is (or was). However, I'm not sure how the "pin" field is used
>> in p11-kit. Is there a way for someone to specify a pin in a file?
> p11-kit has functions to coordinate use of the pin-source (which used to
> called the pinfile) of a uri.
> Applications or libraries that which to 'provide' a PIN can install
> handlers for different values of pin-source. Gnutls (or other consumers
> of PINs) then call p11_kit_pin_request(), which will redirect to the
> correct pin-source handler.
> By default no pin-source handlers are installed. By adding the following
> default handler, p11-kit to default to treating pin-source (or pinfile)
> actual files. It will handle invocations of p11_kit_pin_request() by
> reading actual files:
>   p11_kit_pin_register_callback (P11_KIT_PIN_FALLBACK,
>                                  p11_kit_pin_file_callback,
>                                  NULL, NULL);
> It's up to you if you want this as default behavior for gnutls. It may
> make sense.

Indeed it makes sense to be the default. Could this, however, have bad
interactions with other callbacks that may be registered by other
programs or libraries?

> The patch adds that line so I guess that's the real meat of the
> suggested change.

There is also a change to avoid calling retrieve_pin_for_pinfile if
attempts is zero. I've currently included it but although it seems
sensible for a file read, it might break other callbacks. Does the
p11-kit file read callback fail if the attempt is not the first one?

I've currently added the check, but if the file callback fails
I should remove it.



More information about the Gnutls-devel mailing list