| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
| |
This enables to control whether a module will be loaded from the proxy
module. The configuration reuses the "enable-in" and "disable-in"
options, with a special literal "p11-kit-proxy" as the value.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
If an unknown attribute is present in the query part of the PKCS#11 URI,
the parser treated it as unrecognized and subsequent matches failed.
Instead, keep track of such attributes and provide a set of API to deal
with them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a PKCS#11 module that connects to the p11-kit server
exposed on the filesystem. The filename of the socket is determined in
the following order:
- $P11_KIT_SERVER_ADDRESS, if the envvar is available
- $XDG_RUNTIME_DIR/p11-kit/pkcs11, if the envvar is available
- /run/$(id -u)/p11-kit/pkcs11, if /run/$(id -u) exists
- /var/run/$(id -u)/p11-kit/pkcs11, if /var/run/$(id -u) exists
- ~/.cache/p11-kit/pkcs11.
Note that the program loading this module may have called setuid() and
secure_getenv() which we use for fetching envvars could return NULL.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
While PKCS#11 URI can identify slots/tokens/modules, P11KitIter is only
capable of iterating over objects.
This patch adds new behaviors to P11KitIter to support iterations over
slots/tokens/modules, using the C coroutine trick as described in:
http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
|
| |
|
|
|
|
|
|
|
|
|
| |
This dumps all the PKCS#11 objects in the internal .p11-kit
persistence format.
This is part of the trust command and tooling, even though
at some point it could go in the p11-kit command. The reason
for this is that the code related to the internal .p11-kit
objects is in the trust code, and consumed solely by the
trust related modules.
|
| |
|
|
|
|
|
|
| |
libffi's closure support is not available on all platforms and may fail
at run time if running under a stricter SELinux policy. Fallback to
pre-compiled closures if it is not usable.
https://bugs.freedesktop.org/show_bug.cgi?id=97611
|
| |
|
|
|
| |
Accept and produce 'module-name' and 'module-path' query attributes
defined in RFC 7512.
|
| | |
|
| | |
|
| |
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=1160783
|
| |
|
|
|
| |
The p11-kit code has moved to GitHub. The documentation needs
an update.
|
| |
|
|
| |
Pointed out by David Woodhouse
|
| |
|
|
|
| |
Previously these were expanded based on the home directory of the
one building the documentation (me).
|
| |
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=92520
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows extraction of a directory of standard PEM files
with the OpenSSL hash symlinks; this is a format used by
some popular platforms (Debian's /etc/ssl/certs is in this
form, and OpenSUSE provides it for compatibility).
Initially by: Ludwig Nussel <ludwig.nussel@suse.de>
Signed-off-by: Stef Walter <stefw@redhat.com>
* Added header, fixed compiler warnings
|
| |
|
|
|
|
|
| |
These PEM blocks contribute a CKA_PUBLIC_KEY_INFO to the object
being read/written.
https://bugs.freedesktop.org/show_bug.cgi?id=83799
|
| |
|
|
|
|
| |
This option was not completed in time, and as implemented suffers
from limitations that the module is not really completely isolated
as it still runs under the same user id as the calling process.
|
| |
|
|
|
|
|
| |
Move our internal stuff to pkcs11i.h, and install the pkcs11x.h
header containing extensions.
https://bugs.freedesktop.org/show_bug.cgi?id=83495
|
| |
|
|
| |
Still use recursive for documentation and translation.
|
| | |
|
| |
|
|
|
|
|
| |
This sets 'remote' appropriately to run the module in a separate
process.
https://bugs.freedesktop.org/show_bug.cgi?id=80472
|
| |
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=54105
|
| |
|
|
|
| |
This adds a new tool to the p11-kit command called 'remote'. This
is the server side of remoting a PKCS#11 module.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* This enables passing around bytes which represent PKCS#11 RPC calls.
* Caller is responsible for connecting/disconnecting and so on.
* Client side caller gets a mixin from p11_rpc_client_init() to call
into, which generates callbacks with byte arrays to be transported.
* Server side calls p11_rpc_server_handle() with a CK_FUNCTION_LIST_PTR
on which relevant methods get called.
* Doesn't yet implement the actual daemon or clients etc...
https://bugs.freedesktop.org/show_bug.cgi?id=54105
|
| |
|
|
|
| |
These are useful functions for callers who want to supress all output
from p11-kit library.
|
| |
|
|
| |
Naturally this doesn't apply to tarballs
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Handy function since this is a common need.
|
| |
|
|
| |
This is so we can set a filtering uri on the iterator after construction
|
| |
|
|
|
| |
To get the already loaded CK_TOKEN_INFO during iteration for the
token that the current object is on.
|
| |
|
|
|
| |
This allows us to try to get a RW session, but if not fallback
to a read-only session.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
If ~/.config is specified as a prefix to a configured path,
then it is expanded to the $XDG_CONFIG_HOME if that exists
Add --with-user-config ./configure option to configure a
different user config directory.
Interpolate the right directories into documentation.
|
| |
|
|
|
|
|
| |
When running as setuid() or setgid() don't access the user's home
directory, or use $HOME environment variables.
https://bugzilla.redhat.com/show_bug.cgi?id=985014
|
| | |
|
| |
|
|
|
|
| |
Since we don't want to link freebl3 to libp11-kit.so where it isn't
needed, move the SHA-1 and MD5 digest functionality to the trust/
directory.
|
