Thank you for the input, David. I'll discuss the issue with my colleague Mike Gerow and we will probably switch to using p11-kit. When it comes to WPA Supplicant itself do you think that manually specifying the pkcs11 engine and module path should be deprecated/removed? On Mon, Jun 6, 2016 at 2:34 PM, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > On Mon, 2016-06-06 at 14:13 +0200, Michael Schaller wrote: >> David explains correctly what happens. This started happening for us >> on Debian testing with the release of the libengine-pkcs11-openssl >> package version 0.2.1-2 in March 2016 and it took us a while to >> analyze the issue. The package had changed the libpkcs11.so location >> from /usr/lib/ssl/engines/libpkcs11.so to >> /usr/lib/x86_64-linux-gnu/openssl-1.0.2/engines/libpkcs11.so. Since >> this move the autoload of the pkcs11 engine on the ENGINE_by_id call >> works and we get a pkcs11 engine initialized for the use of p11-kit >> instead of the expected initialization for the specified opencryptoki >> module. We initialize the pkcs11 engine and module path via D-Bus via >> the SetPKCS11EngineAndModulePath method. >> >> David, is the general recommendation to switch over to p11-kit? > > Yes, definitely. > > With p11-kit you get a system-wide configuration for which modules to > load into which applications, with a per-user override: > https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html > > This is honoured directly by GnuTLS applications because GnuTLS uses > libp11-kit directly. For other crypto libraries (OpenSSL, NSS, etc.) it > can be achieved just by loading the p11-kit-proxy.so module — which > loads all the modules specified by the p11-kit configuration, as > "slots" of its own. > > In Fedora it is now considered a bug if any packaged software *doesn't* > automatically load the tokens specified by the p11-kit configuration, > and allow you to use a RFC7512 PKCS#11 URI in any place you would have > been able to use a filename to specify a certificate or key. > > So to go back to what you said above... > >> we get a pkcs11 engine initialized for the use of p11-kit instead of >> the expected initialization for the specified opencryptoki> module. > > It's not supposed to be "instead of". Your p11-kit configuration is > supposed to say what modules you want loaded, and then they're visible. > > (Yes, it would be nicer if OpenSSL and the engine would use libp11-kit > directly instead of the trick of loading p11-kit-proxy.so, but we'll > work on that for OpenSSL 1.3 where we turn PKCS#11 into a proper first- > class citizen and we'll be able to use it for trust and all kinds of > other things properly.) > >> We initialize the pkcs11 engine and module path via D-Bus via> the >> SetPKCS11EngineAndModulePath method. > > You shouldn't need to do that. If the 'filename' you pass starts with > 'pkcs11:' then it gets done automatically. And if you are referencing > objects in the PKCS#11 token by the horrid old crufty ID string that > predated RFC7512, then don't :) > > -- > dwmw2 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
