[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: support for arbitrary PKCS11 pin input method

Rich Megginson wrote:
Silvan Marco Fin wrote:

  I searched through tls_m.c for means to enter the token PIN for a
PKCS11 token. I found a call to PK11_SetPasswordFunc(). The callback is
set to tlsm_pin_prompt(), which by itself uses tlsm_get_pin().
tlsm_get_pin() only supports reading the PIN from file or via STDIN. To
be usable within any form of gui, there would have to be some method to
pass a GUI callback to ask for the PIN.

How would this work?  Would you pass in a callback function with your
private context, and this callback function would be called with the
current MozNSS context + your provided context?  What would be the
possible return values from your callback?  What should the code do
depending upon each return value?  Is there currently a way, via the
OpenLDAP API, to pass in such a function and context?

For what it's worth, we need to add this feature for sasl_interactive_bind as well. Thus far, for the ldap_sasl interface all of the callback parameters have been passed on the function invocation, as opposed to being set by a separate ldap_set_option(). It makes for a clunky function signature, but seems safest in terms of re-entrancy...

  Do you plan on implementing such a feature in the near future or is
there a proposed way of setting such a callback method?

  Kind regards,

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/