-
The smartcard plugin of g-c-c has been based on the usage of NSS API, unfortunately this means that, in order to be able to fetch the PKCS #11 devices, the system must provide a shared certificate NSS database that is not standard in most distributions outside the Fedora / RH world. Also, this database has to be pre-filled with PKCS #11 libraries to get the available one, not fully respecting the p11-kit modules standard (even though by default it now relies on a p11-kit-proxy library that de facto follows this). As per this, it's currently quite hard to get GDM to use smartcard authentication working both using pam-sss or pam-pkcs11 in most distros. This also was introducing another level of abstraction, while using the p11-kit libs is nowadays preferred. Said that, it made sense to finally use some standard libraries so that smartcard devices supported by p11-kit can be handled without any further action. While we could support multiple backends, it doesn't really make any sense at this point, without breaking Fedora and friends, in fact: 1) As said, distros using the NSS db were already getting devices from p11-kit via a proxy 2) Fedora and RHEL rely on SSSD for the PAM authentication and this project completely dropped the NSS support [1], and only uses p11-kit and OpenSSL. So this change will actually ensure that the smartcard support will continue working even on distros that are using a system NSS database. Given that GNOME has already a library to abstract PKCS#11 devices, I preferred not to write yet another wrapper around it, and just rely on that as a light wrap the devices, slots and tokens operations. So we can remove quite a lot of initialization code, while some facilities that were provided by NSS (such as waiting for slot events) had to be reimplemented, but following the same logic. Fixes: #260 Related to: #439 [1] https://github.com/SSSD/sssd/commit/266ecc083d5
b7121e38