[Buildroot] [PATCH 4/5] pkcs11-helper: new package
Arnout Vandecappelle
arnout at mind.be
Tue Oct 29 23:27:08 UTC 2019
On 28/10/2019 22:24, aduskett at gmail.com wrote:
> From: Adam Duskett <Aduskett at gmail.com>
>
> pkcs11-helper is a library that simplifies the interaction with PKCS#11
> providers for end-user applications. Pkcs11-helper allows using multiple
> PKCS#11 providers at the same time, enumerating available token
> certificates, or selecting a certificate directly by serialized id, handling
> card removal and card insert events, handling card re-insert to a different
> slot, supporting session expiration and much more all using a simple API.
>
> Signed-off-by: Adam Duskett <Aduskett at gmail.com>
[snip]
> +config BR2_PACKAGE_PKCS11_HELPER
> + bool "pkcs11-helper"
> + help
> + pkcs11-helper is a library that simplifies the interaction
> + with PKCS#11 providers for end-user applications.
> +
> + pkcs11-helper allows using multiple PKCS#11 providers at the
> + same time, enumerating available token certificates, or
> + selecting a certificate directly by serialized id, handling
> + card removal and card insert events, handling card re-insert
> + to a different slot, supporting session expiration and much
> + more all using a simple API.
> +
> + pkcs11-helper is not designed to manage card content, since
> + object attributes are usually vendor specific, and 99% of
> + application need to access existing objects in order to
> + perform signature and decryption.
> +
> + https://github.com/OpenSC/pkcs11-helper
> +
> +if BR2_PACKAGE_PKCS11_HELPER
> +
> +config BR2_PACKAGE_PKCS11_HELPER_GNUTLS_ENGINE
> + bool "gnutls engine support"
> + depends on !BR2_STATIC_LIBS
> + depends on BR2_USE_WCHAR
> + select BR2_PACKAGE_GNUTLS
As usual, bikeshedding over the Config.in options :-)
AFAIU, pkcs11-helper can be of limited use on its own (dumping info about
tokens, presumably it automatically connects to pcscd if available). So a crypto
engine is not strictly needed. But, again AFAIU, it's real use is to serve as a
plugin for the various crypto libraries so they can use the token. Is that correct?
So, I would think that the logic is that you first select your crypto
provider(s) (possibly implicitly through a package that uses a crypto provider),
and then you add the pkcs11 "plugin" to it. So to me it seems more logical to
use depends on gnutls than select.
But then, I wonder if it even makes sense to make it optional. Does it cost a
lot of code size to add an engine if that particular crypto library is anyway built?
I may be all wrong about this though.
I've not marked this as Changes Requested since it may be OK as is.
> +
> +comment "gnutls support needs a toolchain w/ wchar, dynamic library"
> + depends on !BR2_USE_WCHAR || BR2_STATIC_LIBS
> +
> +config BR2_PACKAGE_PKCS11_HELPER_MBEDTLS_ENGINE
> + bool "mbedtls engine support"
> + select BR2_PACKAGE_MBEDTLS
> +
> +config BR2_PACKAGE_PKCS11_HELPER_NSS_ENGINE
> + bool "nss engine support"
> + depends on BR2_TOOLCHAIN_HAS_THREADS # libnspr
> + depends on BR2_PACKAGE_LIBNSPR_ARCH_SUPPORT # libnspr
> + depends on !BR2_STATIC_LIBS
> + select BR2_PACKAGE_LIBNSS
> +
> +comment "nss support needs a toolchain w/ threads, dynamic library"
> + depends on BR2_PACKAGE_LIBNSPR_ARCH_SUPPORT
> + depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
> +
> +config BR2_PACKAGE_PKCS11_HELPER_OPENSSL_ENGINE
> + bool "openssl engine support"
> + select BR2_PACKAGE_OPENSSL
> +
> +endif
> diff --git a/package/pkcs11-helper/pkcs11-helper.hash b/package/pkcs11-helper/pkcs11-helper.hash
> new file mode 100644
> index 0000000000..28ef74b410
> --- /dev/null
> +++ b/package/pkcs11-helper/pkcs11-helper.hash
> @@ -0,0 +1,3 @@
> +# Locally computed
> +sha256 fbcec9dd15a71d6ef22b09f63934c66d7d0292fefbaf3a60703ee4a9a73bf6a5 pkcs11-helper-pkcs11-helper-1.25.1.tar.gz
> +sha256 b8a2f73f743dc1a51aff23f1aacbca4b868564db52496fa3c0caba755bfd1eaf COPYING
> diff --git a/package/pkcs11-helper/pkcs11-helper.mk b/package/pkcs11-helper/pkcs11-helper.mk
> new file mode 100644
> index 0000000000..07a0c046ad
> --- /dev/null
> +++ b/package/pkcs11-helper/pkcs11-helper.mk
> @@ -0,0 +1,51 @@
> +################################################################################
> +#
> +# pkcs11-helper
> +#
> +################################################################################
> +
> +PKCS11_HELPER_VERSION = pkcs11-helper-1.25.1
This is like the v prefix: we want version as 1.25.1 and the pkcs11-helper-
prefix in the _SITE variable.
> +PKCS11_HELPER_SITE = $(call github,OpenSC,pkcs11-helper,$(PKCS11_HELPER_VERSION))
> +PKCS11_HELPER_LICENSE = GPL-2.0
COPYING says that it is GPL-2.0 OR BSD-3-Clause.
It also mentions the OpenSSL and gnutls etc. licenses, but I don't think those
sources are included so that's just wrong.
> +PKCS11_HELPER_LICENSE_FILES = COPYING
You also need to include COPYING.BSD and COPYING.GPL.
> +PKCS11_HELPER_AUTORECONF = YES
> +PKCS11_HELPER_INSTALL_STAGING = YES
> +
> +PKCS11_HELPER_CONF_OPTS = \
> + --disable-crypto-engine-polarssl \
Weird... polarssl is just mbedtls...
> + --disable-crypto-engine-cryptoapi \
cryptoapi... Is that the kernel AF_CRYPTO interface? That should always be
supported then...
> + --disable-dependency-tracking
We don't usually specify that.
Regards,
Arnout
> +
> +ifeq ($(BR2_PACKAGE_PKCS11_HELPER_GNUTLS_ENGINE),y)
> +PKCS11_HELPER_DEPENDENCIES += gnutls
> +PKCS11_HELPER_CONF_OPTS += --enable-crypto-engine-gnutls
> +else
> +PKCS11_HELPER_CONF_OPTS += --disable-crypto-engine-gnutls
> +endif
> +
> +ifeq ($(BR2_PACKAGE_PKCS11_HELPER_NSS_ENGINE),y)
> +PKCS11_HELPER_DEPENDENCIES += libnss
> +PKCS11_HELPER_CONF_OPTS += --enable-crypto-engine-nss
> +else
> +PKCS11_HELPER_CONF_OPTS += --disable-crypto-engine-nss
> +endif
> +
> +ifeq ($(BR2_PACKAGE_PKCS11_HELPER_MBEDTLS_ENGINE),y)
> +PKCS11_HELPER_DEPENDENCIES += mbedtls
> +PKCS11_HELPER_CONF_OPTS += --enable-crypto-engine-mbedtls
> +else
> +PKCS11_HELPER_CONF_OPTS += --disable-crypto-engine-mbedtls
> +endif
> +
> +ifeq ($(BR2_PACKAGE_PKCS11_HELPER_OPENSSL_ENGINE),y)
> +PKCS11_HELPER_DEPENDENCIES += openssl
> +PKCS11_HELPER_CONF_OPTS += \
> + --enable-openssl \
> + --enable-crypto-engine-openssl
> +else
> +PKCS11_HELPER_CONF_OPTS += \
> + --disable-openssl \
> + --disable-crypto-engine-openssl
> +endif
> +
> +$(eval $(autotools-package))
>
More information about the buildroot
mailing list