[gnutls-dev] [RFC] gnutls-pkcs11
Alon Bar-Lev
alon.barlev at gmail.com
Sat Aug 18 14:04:14 CEST 2007
Hello all,
I would like to receive some input regarding gnutls-pkcs11 API.
Source:
http://alon.barlev.googlepages.com/gnutls-pkcs11-0.02.tar.bz2
Doc:
http://alon.barlev.googlepages.com/gnutls-pkcs11-doc-0.02.tar.bz2
As I am not gnutls developer, I may have done something against the conventions.
The main issues PKCS#11 implementation should handle are:
1. Support many variant of PKCS#11 providers' implementations
To allow this I added a generic (unimplemented yet) params string to
initialization and provider addition.
The format would be name=value;name=value;
2. Support many providers at the same time.
Most (large) user installation have many types of providers, allowing
application to work with all without difference is important.
3. Access to token is not guarantee
Even if the token was available at session establishment, it may not
be available later on. We should have a way to prompt the user to
insert his token when required.
4. Passphrase management
Unlike files, token may require passphrase several times during a
session, for example if it is removed and insert or it has internal
timeout.
5. Identity serialization
When certificate is requested, we may have or may not have the
required token in the reader.
But in order to allow people to select a specific certificate to a
specific session, we should be able to serialize the identity so that
it can be used in later transactions.
So we end up with new type: gnutls_pkcs11_certificate_t.
When x509 certificate is needed you can:
gnutls_pkcs11_get_crt (pkcs11_cert, &x509)
Best Regards,
Alon Bar-Lev.
More information about the Gnutls-dev
mailing list