support for non-openpgp cards
Simon Josefsson
jas at extundo.com
Thu Nov 18 23:35:20 CET 2004
Zeljko Vrba <zvrba at globalnet.hr> writes:
> Pr=E1gai, R=F3bert wrote:
>
> | Hi Zeljko,
> |
> | big welcome for the pkcs11 patch for gnupg! We use cryptoflex
> | e-gate 32k cards here and planned to make such a patch, too. You
> | were the quicker:) My question: is the MUSCLE pkcs11 library
> | required for this patch or any other pkcs11 (e.g. opensc-pkcs11)
> | library will do the job?
> |
> |
> I believe that any PKCS#11 implementation for that card should work in
> theory.
>
> Unfortunately, I have seen few PKCS#11 implementations (even
> commercial) that correctly implement PKCS#11 spec in all relevant
> aspects. So that supporting different PKCS#11 _implementation_ (even
> for the same card) could result in big code changes..
>
> So, what _in theory_ should be ONE source, _in practice_ that source
> gets many #ifdefs for various PKCS#11 implementations.. :(
IMHO, you should not care about broken implementations. There is a
well-defined PKCS#11 specification, even including header files.
Write code for the specification. If something doesn't work because
someone isn't implementing the specification, that's their problem.
Polluting GnuPG code with #ifdef would make GnuPG users pay the price
of other's bad work.
To make things work in the real world, and not just a dream world
where everyone implement the specification, you can write a module
that translate from broken PKCS#11 to correct PKCS#11. IMHO, this is
much better than coding for broken PKCS#11 directly.
But hey, I'm not doing any work, so if you are, you get to chose the
strategy. ;-)
There is a GNU PKCS#11 package:
http://gpkcs11.sourceforge.net/
Alas, it uses OpenSSL.
Regards,
Simon
More information about the Gnupg-devel
mailing list