Start p11-kit server with opensc provider when available. #5547
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The purpose of the p11-kit server session helper is to make host trusted certificates available in the sandbox. If the opensc module is availble (checked by presence of `opensc-tool` in path) then start the p11-kit server with the opensc-pkcs11.so provider and pkcs11 uri set. Ths pkcs11 uri for opensc has a query of: `library-manufacturer=OpenSC Project` & `type=cert` to ensure that it only provides objects of type "certificate" provided by the "OpenSC Project" library. The pkcs11 uri is defined in [RFC 7512](https://datatracker.ietf.org/doc/html/rfc7512) The purpose and driver for adding this change is to get US Government PIV cards (CAC) to work with the various flatpak'd web browsers such as chromium and all chromium based browsers such as Edge, and Firefox. Some info on the US PIV can be found on the OpenSC project [here](https://github.com/OpenSC/OpenSC/wiki/US-PIV)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The purpose of the p11-kit server session helper is to make host trusted certificates available in the sandbox. If the opensc module is available (checked by presence of
opensc-toolin path) then start the p11-kit server with the opensc-pkcs11.so provider and pkcs11 uri set.Ths pkcs11 uri for opensc has a query of:
library-manufacturer=OpenSC Project&type=certto ensure that it only provides objects of type "certificate" provided by the "OpenSC Project" library.The pkcs11 uri is defined in RFC 7512
The purpose and driver for adding this change is to get US Government PIV cards (CAC) to work with the various flatpak'd web browsers such as chromium and all chromium based browsers such as Edge, and Firefox. Some info on the US PIV can be found on the OpenSC project here