[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
initial PKCS #11 support
From: |
Nikos Mavrogiannopoulos |
Subject: |
initial PKCS #11 support |
Date: |
Sun, 16 May 2010 12:12:51 +0200 |
User-agent: |
Thunderbird 2.0.0.24 (X11/20100411) |
Hello,
I have implemented a limited (to public keys and private keys) PKCS #11
API in gnutls. This was inspired mainly by the neon PKCS #11 support and
Alon's gnutls-pkcs11, although I think it has a larger scope.
A sneak preview is at
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=shortlog;h=new
* How it works:
It can be enabled with a global config file (/etc/gnutls/pkcs11.conf)
which contains the pkcs11 modules to load, or an application may ignore
it and specify explicitly the modules it uses (see
gnutls_pkcs11_init()). The file contains entries such as:
"load=/xxx/pkcs11-lib.so"
To reference PKCS #11 objects gnutls uses URLs as in
http://tools.ietf.org/html/draft-pechanec-pkcs11uri-01
This has the advantage that all existing applications that use the
gnutls functions to load keys/certificates will be able to use pkcs11
urls transparently.
With certtool a list of the available keys is shown:
./certtool --pkcs11-list
PIN required for token 'Nikos Mavrogiannopoulos (User P' in slot
'OmniKey CardMan 3121 00 00'
Enter password:
Certificate 0:
URL:
pkcs11:token=Nikos%20Mavrogiannopoulos%20%28User%20P;serial=307521161601031;model=PKCS%2315;manufacturer=EnterSafe;object=Certificate;id=db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26
Label: Certificate
ID: db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26
With gnutls-cli or gnutls-serv and x509certfile/x509keyfile a pkcs11 url
can be specified to use the corresponding keys and certificates.
As a backend a modified pakchois library is used (modified to load an
arbitrary library instead of looking into default paths).
An example application can be seen at:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=doc/examples/ex-cert-select-pkcs11.c;h=64875a97601d02d3288fe802831e71ec04c919e7;hb=9c21137aed2910de498832f598ae49238f40a27b
Still there are several things to be done such as:
1. gnutls-cli/serv --x509cafile read from a pkcs11 url (certtool
--pkcs11-list-trusted does something similar already)
2. Support for PKCS #11 secret keys in PSK ciphersuites
3. Thread lock issues with sharing of pkcs11 objects (probably implement
locks around gnutls_pkcs11_privkey_t operations)
4. Allow signing of certificates with a pkcs 11 key (should be trivial
using the gnutls_privkey_t api)
5. Allow reading and transforming pkcs11 public keys to certificates and
certificate requests.
6. Allow generation of keys (still thinking whether its worthwhile)
Any comments welcome.
regards,
Nikos
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- initial PKCS #11 support,
Nikos Mavrogiannopoulos <=