Since last report I have done some fixes and updates in the module and looked for the best way to load the module.
I have resolved some memory leaks and updated the build system
I Changed the module to support more than one session at a time, it was faking multiple sessions to users while it was actually using only one.
I decided for a mechanism limiting the number of sessions to 16, no hard restrictions at all. But it can easily be changed to a mechanism with unlimited sessions.
NSS relies on some objects to check for trust on a certificate. These objects are created by NSS when a trust relationship is added. All certificate accessible to NSS were not trusted, the user needed to set a trust relation with the certificate manually.
Now the module mimetizes these objects to NSS so that all certificates found by the module are trusted to protect e-mail communication.
Loading the module
There are some ways the module can be loaded by an application, using p11-kit, libgck, or NSS. A particularity is that the module will be loaded by Evolution, but it won’t actually use it. The real user of the module is NSS, who performs the crypto operations. So, Evolution needs to load it and make it available to NSS.
I could not find a way to it with libgck. To do it via p11-kit you can use pkcs11-proxy.so, and with NSS it can be done directly via SECMOD_LoadUserModule(). To keep things simple for now, I’m going for NSS’ method.
Who does the loading?
Evolution, or Evolution Data Server, needs to load the module at some point. For testing purposes I created a patch to load the module in Evolution (the most appropriate place may be in EDS). And I’m happy to say that the module can do its job.
You finished the module?
The core of the module is finished, it is able to perform the task it was built for.
- To expose X509 Certificate from Evolution Contacts;
- To allow sending of encrypted mail using a certificate retrieved from a contact in Evolution.
But it’s a PKCS#11 module, lots of application can use it in a different way, and the module needs to survive whatever situation it comes to face.
For example, it did not work with p11tool correctly. When p11tool wanted to list all objects the module would return no objects at all. Situations like these will be corrected as they are found.
There are some issues I know that may affect the module, like:
- Certificate Decoding, it is done using SEC_QuickDERDecodeItem(), but I still have doubts about its robustness;
- NSS trust, although NSS trusts the certificate it only trusts it for real use when the trust is set through UI.
GSoC period has come to its end, but work is never over. I hope to keep working on the module and contributing to the community.
Thanks to Google and GNOME organizations for supporting this work. And thank you David Woodhouse for mentoring and helping me on this project.