search

OpenSC / pkcs11-helper

Library that simplifies the interaction with PKCS#11 providers for end-user applications using a simple API and optional OpenSSL engine
Other
66 stars 43 forks source link

Getting slot ID from slotEventHook #66

Closed arrowd closed 9 months ago

arrowd commented 10 months ago

Reading the __pkcs11h_slotevent_provider function's code, it seems that the slot value returned from C_WaitForSlotEvent is discarded. This makes it impossible to figure what slot exactly has generated an event.

alonbl commented 10 months ago

Hi, In pkcs11-helper the slots are abstracted, as one of the most difficult flows is managing the slots. The notification allows you to refresh your certificate store. Alon

arrowd commented 10 months ago

Do you mean calling pkcs11h_plugAndPlay?

alonbl commented 10 months ago

No, pkcs11h_plugAndPlay() should be called only has hack for providers that do not support plug and play, it destroys the context and created it. Plug and play is defined better these days (20 years later), most providers will allocate a new slot id per each reader unplug/plug.

Probably the pkcs11h_certificate_enumCertificateIds() is to be called when slot event is asserted.

arrowd commented 10 months ago

Sorry, I still don't quite get it.

I want to track which tokens are inserted at the moment. How do I achieve this without getting a slot ID in the hook?

alonbl commented 10 months ago

you can use pkcs11h_token_enumTokenIds() if you wish you can use PKCS#11 directly, this library is fairly old, it designed to abstract the complexity of PKCS#11 while since then the popularity of PKCS#11 (or any standard) became lower.

arrowd commented 9 months ago

Yes, calling pkcs11h_token_enumTokenIds() to figure what changed since last event works. But I still don't see how would it hurt to passthrough the slot value from C_WaitForSlotEvent to the hook.

alonbl commented 9 months ago

slot is meaningless as it is opaque, for plug&play it changes each unplug/plug for usb token it is totally meaningless. it also means nothing to the user. in what case do you need it?

arrowd commented 9 months ago

You said

you can use pkcs11h_token_enumTokenIds() if you wish you can use PKCS#11 directly

but using them requires specifying slot. How do I go from helper token IDs to slots?

alonbl commented 9 months ago

oh, I probably wrote it badly... if you want control over slots, keys, and any other low level feature you can use PKCS#11 directly, avoid using this library.

arrowd commented 9 months ago

Ok, I see. Thank you for your explanations.

arrowd commented 9 months ago

Is is bugfix important enough to make a new release? Otherwise I'll just patch the pkcs11-helper downstream (FreeBSD).

alonbl commented 9 months ago

if you are the maintainer then it will be nice if you apply it, if not I will release.

arrowd commented 9 months ago

I'm not, but I do have authorization to do that. I'll patch it locally then, thanks.