[gnutls-help] Multi-tenancy and PKCS #11
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Jul 19 17:10:11 CEST 2017
On Wed, Jul 19, 2017 at 11:12 AM, Rick van Rein <rick at openfortress.nl> wrote:
> Hi,
>
>>> One thing that may be blocking it, is the fact that GnuTLS has a global
>>> setup for PKCS #11, including the available tokens and their PINs. Is
>>> that correct, or is there a way to get around this?
>>
>> Could you describe the ideal situation of handling smart cards for the
>> use case above?
>
> The design alternative that I'm exploring is one in which the TLS Pool is
> a networked component, serving to multiple daemons, and/or where each
> daemon can run on behalf of various domain names. Ideally, the credentials
> of each domain name would be kept separate in the TLS Pool, rather than
> trusting the daemon to do the right thing. The daemon is closer to the
> protocols and parsers of the application, after all, and the whole idea of
> the TLS Pool is keeping application logic and security logic separated.
>
>> The situation in gnutls is that pkcs11 shared modules
>> are loaded globally, pins etc are cached/used per private key,
>> operation.
>
> The PINs may be the solution then. You didn't write down the precise
> logic, right? Well you did, of course, in the code :) so maybe I should
> take a look there. I had assumed PINs were strictly delegated to p11-kit.
You may want to check gnutls_pkcs11_privkey_t handling. Only the
shared module should be global on its handling. Everything else is
local to the object.
regards,
Nikos
More information about the Gnutls-help
mailing list