[Date Prev][Date Next]
Re: support for arbitrary PKCS11 pin input method
- To: Silvan Marco Fin <email@example.com>
- Subject: Re: support for arbitrary PKCS11 pin input method
- From: Rich Megginson <firstname.lastname@example.org>
- Date: Wed, 13 Oct 2010 08:26:28 -0600
- Cc: email@example.com
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=xereI/sRxJQvG/y1Jwa8dFU042UrYx6MBmYv6kQaV4g=; b=u/ZnGl6zuujrN45WAYnOwFJg/RKJOzUNae3Jss8Wabs1XP6n1/RBdXasl0EhpwYup7 tLr2ivQbEiLxVe0K1glxOcDBLpFK3jJWc0uhSOBInMID6999O5dYfuR/j2egKwQHQMtS 83iAoxQtlRy/1jh/GHxPMkgOcGFb2T4OYSXCw=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=c6upAv9GIlxs6vFxfSlHs3pEEnPulirpV/hXJxBHETxf4f5HJEkeJNoNAm/d2K63aK ZsgQZhOk1SwxkVOSxuzzzQYVdiPYSC4+OslKIwVuRzGk9pF4QFcVem1m51k5lpQrlmrS BmlslMWP5eEmE7OfkrXbQIvKA6RYZnbAXVK9g=
- In-reply-to: <4CB59234.firstname.lastname@example.org>
- References: <4CB31DF9.email@example.com> <4CB333FE.firstname.lastname@example.org> <4CB357D2.email@example.com> <4CB59234.firstname.lastname@example.org>
- User-agent: Thunderbird 188.8.131.52 (X11/20100702)
Silvan Marco Fin wrote:
Ok. That's how it works at the lower level for MozNSS - how should it
work for the higher level openldap API that you will have to interact with?
Am 11.10.2010 20:30, schrieb Howard Chu:
Rich Megginson wrote:
Silvan Marco Fin wrote:
I searched through tls_m.c for means to enter the token PIN for a
PKCS11 token. I found a call to PK11_SetPasswordFunc(). The callback is
set to tlsm_pin_prompt(), which by itself uses tlsm_get_pin().
tlsm_get_pin() only supports reading the PIN from file or via STDIN. To
be usable within any form of gui, there would have to be some method to
pass a GUI callback to ask for the PIN.
To clarify: GUI callback is too specific. In any application requesting
PINs to access some sort of crypto device, there would be the need of a
callback function which can be registered to openldap in the same way in
the same way openldap registers its own functions to the crypto library
(PK11_SetPasswordFunc() in this case), since we might not read from
STDIN and file is insecure, as is stated in the comments in tlsm_get_pin().
How would this work? Would you pass in a callback function with your
private context, and this callback function would be called with the
current MozNSS context + your provided context? What would be the
possible return values from your callback? What should the code do
depending upon each return value? Is there currently a way, via the
OpenLDAP API, to pass in such a function and context?
The parameters to the PK11_SetPasswordFunc() are described in
Instead of tlsm_pin_prompt() the applications callback function should
For what it's worth, we need to add this feature for
sasl_interactive_bind as well. Thus far, for the ldap_sasl interface all
of the callback parameters have been passed on the function invocation,
as opposed to being set by a separate ldap_set_option(). It makes for a
clunky function signature, but seems safest in terms of re-entrancy...
Is there a roadmap for these adaptions or can you give any hint, on
wether this will be done in the near future?
Can you file an ITS?