summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/manual/p11-kit.xml15
-rw-r--r--doc/manual/pkcs11.conf.xml13
-rw-r--r--p11-kit/rpc-transport.c57
-rw-r--r--p11-kit/tests/test-transport.c2
4 files changed, 59 insertions, 28 deletions
diff --git a/doc/manual/p11-kit.xml b/doc/manual/p11-kit.xml
index bc618f9..be3f982 100644
--- a/doc/manual/p11-kit.xml
+++ b/doc/manual/p11-kit.xml
@@ -93,6 +93,21 @@ $ p11-kit list-modules
for more information</para>
</refsect1>
+<refsect1 id="p11-kit-remote">
+ <title>Remote</title>
+
+ <para>Run a PKCS#11 module remotely.</para>
+
+<programlisting>
+$ p11-kit remote /path/to/pkcs11-module.so
+</programlisting>
+
+ <para>This is not meant to be run directly from a terminal. But rather in a
+ <option>remote</option> option in a
+ <citerefentry><refentrytitle>pkcs11.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ file.</para>
+</refsect1>
+
<refsect1 id="p11-kit-bugs">
<title>Bugs</title>
<para>
diff --git a/doc/manual/pkcs11.conf.xml b/doc/manual/pkcs11.conf.xml
index 0b61b6f..2617677 100644
--- a/doc/manual/pkcs11.conf.xml
+++ b/doc/manual/pkcs11.conf.xml
@@ -155,6 +155,19 @@ x-custom : text
</listitem>
</varlistentry>
<varlistentry>
+ <term><option>remote:</option></term>
+ <listitem>
+ <para>Instead of loading the PKCS#11 module locally, run the module
+ remotely.</para>
+ <para>Specify a command to run, prefixed with <literal>|</literal> a pipe.
+ The command must speak the p11-kit remoting protocol on its standard in
+ and standard out. For example:</para>
+<programlisting>
+remote: |ssh user@remote p11-kit remote /path/to/module.so
+</programlisting>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><option>trust-policy:</option></term>
<listitem>
<para>Set to <literal>yes</literal> to use use this module as a source
diff --git a/p11-kit/rpc-transport.c b/p11-kit/rpc-transport.c
index 0ff82d8..8c3fb0c 100644
--- a/p11-kit/rpc-transport.c
+++ b/p11-kit/rpc-transport.c
@@ -542,14 +542,16 @@ struct _p11_rpc_transport {
};
static void
-on_rpc_disconnect (p11_rpc_client_vtable *vtable,
- void *init_reserved)
+rpc_transport_disconnect (p11_rpc_client_vtable *vtable,
+ void *init_reserved)
{
p11_rpc_transport *rpc = (p11_rpc_transport *)vtable;
- if (rpc->socket)
+ if (rpc->socket) {
+ rpc_socket_close (rpc->socket);
rpc_socket_unref (rpc->socket);
- rpc->socket = NULL;
+ rpc->socket = NULL;
+ }
}
static bool
@@ -573,9 +575,9 @@ rpc_transport_uninit (p11_rpc_transport *rpc)
}
static CK_RV
-on_rpc_transport (p11_rpc_client_vtable *vtable,
- p11_buffer *request,
- p11_buffer *response)
+rpc_transport_buffer (p11_rpc_client_vtable *vtable,
+ p11_buffer *request,
+ p11_buffer *response)
{
p11_rpc_transport *rpc = (p11_rpc_transport *)vtable;
CK_RV rv = CKR_OK;
@@ -632,7 +634,7 @@ typedef struct {
} rpc_exec;
static void
-wait_or_terminate (pid_t pid)
+rpc_exec_wait_or_terminate (pid_t pid)
{
bool terminated = false;
int status;
@@ -672,8 +674,8 @@ wait_or_terminate (pid_t pid)
}
static void
-on_rpc_exec_disconnect (p11_rpc_client_vtable *vtable,
- void *fini_reserved)
+rpc_exec_disconnect (p11_rpc_client_vtable *vtable,
+ void *fini_reserved)
{
rpc_exec *rex = (rpc_exec *)vtable;
@@ -681,11 +683,11 @@ on_rpc_exec_disconnect (p11_rpc_client_vtable *vtable,
rpc_socket_close (rex->base.socket);
if (rex->pid)
- wait_or_terminate (rex->pid);
+ rpc_exec_wait_or_terminate (rex->pid);
rex->pid = 0;
/* Do the common disconnect stuff */
- on_rpc_disconnect (vtable, fini_reserved);
+ rpc_transport_disconnect (vtable, fini_reserved);
}
static int
@@ -699,8 +701,8 @@ set_cloexec_on_fd (void *data,
}
static CK_RV
-on_rpc_exec_connect (p11_rpc_client_vtable *vtable,
- void *init_reserved)
+rpc_exec_connect (p11_rpc_client_vtable *vtable,
+ void *init_reserved)
{
rpc_exec *rex = (rpc_exec *)vtable;
pid_t pid;
@@ -761,7 +763,7 @@ static void
rpc_exec_free (void *data)
{
rpc_exec *rex = data;
- on_rpc_exec_disconnect (data, NULL);
+ rpc_exec_disconnect (data, NULL);
rpc_transport_uninit (&rex->base);
p11_array_free (rex->argv);
free (rex);
@@ -797,9 +799,9 @@ rpc_exec_init (const char *remote,
p11_array_push (argv, NULL);
rex->argv = argv;
- rex->base.vtable.connect = on_rpc_exec_connect;
- rex->base.vtable.disconnect = on_rpc_exec_disconnect;
- rex->base.vtable.transport = on_rpc_transport;
+ rex->base.vtable.connect = rpc_exec_connect;
+ rex->base.vtable.disconnect = rpc_exec_disconnect;
+ rex->base.vtable.transport = rpc_transport_buffer;
rpc_transport_init (&rex->base, name, rpc_exec_free);
p11_debug ("initialized rpc exec: %s", remote);
@@ -813,24 +815,25 @@ p11_rpc_transport_new (p11_virtual *virt,
const char *remote,
const char *name)
{
- p11_rpc_transport *rpc;
+ p11_rpc_transport *rpc = NULL;
return_val_if_fail (virt != NULL, NULL);
return_val_if_fail (remote != NULL, NULL);
return_val_if_fail (name != NULL, NULL);
-#ifdef OS_UNIX
- /* For now we assume it's all a command line */
- rpc = rpc_exec_init (remote, name);
-
-#else /* !OS_WIN32 */
- rpc = NULL;
+#ifdef OS_WIN32
p11_message ("Windows not yet supported for remote");
+ return NULL;
+#endif
-#endif /* OS_WIN32 */
+ /* This is a command we can execute */
+ if (remote[0] == '|') {
+ rpc = rpc_exec_init (remote + 1, name);
- if (!rpc)
+ } else {
+ p11_message ("remote not supported: %s", remote);
return NULL;
+ }
if (!p11_rpc_client_init (virt, &rpc->vtable))
return_val_if_reached (NULL);
diff --git a/p11-kit/tests/test-transport.c b/p11-kit/tests/test-transport.c
index 6ae6072..4656d34 100644
--- a/p11-kit/tests/test-transport.c
+++ b/p11-kit/tests/test-transport.c
@@ -68,7 +68,7 @@ setup_remote (void *unused)
test.user_config = p11_path_build (test.directory, "pkcs11.conf", NULL);
p11_test_file_write (NULL, test.user_config, data, strlen (data));
- data = "remote: " BUILDDIR "/../p11-kit remote " BUILDDIR "/.libs/mock-two.so\n";
+ data = "remote: |" BUILDDIR "/../p11-kit remote " BUILDDIR "/.libs/mock-two.so\n";
p11_test_file_write (test.user_modules, "remote.module", data, strlen (data));
p11_config_user_modules = test.user_modules;