Re: [gnutls-dev] GnuTLS PKCS#11 Engine

[Alon Bar-Lev]

Hello Marcus,

The sequence is as follows:
1. Application calls C_Initialize() of some providers.
2. Application fork()
3. Application must call C_Initialize() at child, as the spec
instructs, so child environment will be complete.
4. Application wishes to do something else in this child, so it C_Finalize()
5. Parent can access PKCS#11 token.
6. Child does not.

In your case you fork, so automatically you get C_Iniitalize(),
C_Finalize() at child, and it seems that somehow it makes the parent
not working?

Best Regards,
Alon Bar-Lev.

On 5/14/07, Marcus Brinkmann <address@hidden> wrote:
> At Mon, 14 May 2007 14:28:54 +0300,
> "Alon Bar-Lev" <address@hidden> wrote:
> >
> > On 5/14/07, Simon Josefsson <address@hidden> wrote:
> > > I suppose this is just PKCS#11 internal stuff, and I hope you will solve
> > > it.  If I can assist in testing anything, let me know.
> >
> > This is sute problem, I cannot solved this... I CCed Marcus, I hope he
> > will be able to solve it.
>
> I am happy to help, but I need to know with what.  I am not subscribed
> to gnutls, please forward me the relevant details.
>
> From the followup mail I was CC'ed I guess it is related to threading
> and Scute's use of fork().  I realize that it could be a problem (also
> I would still like to know the particular details that bother you).
> Unfortunately, we can not limit ourselves to the gpg-agent interface,
> because we need the certificates, and those are in gpgsm's database,
> and not accessed by gpg-agent.
>
> Another idea: If gpgsm were to run as a server on a named pipe, it
> could have a call-agent passthrough interface for the gpg-agent stuff
> (similar to SCD command in gpg-agent), and then we could do everything
> over a socket.  However, we are not quite there yet to fully support
> such a model of operation, so that's more of a long-term option.
>
> Enough guessing, let's hear you now :)
>
> Thanks,
> Marcus