[gnutls-dev] sign callback for certificate authentication

Simon Josefsson simon at josefsson.org
Tue May 8 12:37:04 CEST 2007


Hi again.  I just realized that the work I'm doing on the PKCS#11 branch
is rather similar to what you provided a patch for here.  The code is
different from yours, but let me what you think and if you can test it:

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2006

I intend to move the external-signing callback API back into the 1.7.x
branch as soon as possible, because it looks rather safe.  I'm not sure
about our PKCS#11 interface library.  Alon Bar-Lev's comments indicate
that it may be better if we stay out of providing tighter PKCS#11
integration and leave that to him and others to work on.  I'd be happy
with that, since I personally think the PKCS#11 interface is too complex
to inspire good confidence in implementations of it.  Still, making it
easy to use OpenPGP cards is an important use-case for me.

/Simon

"Jacob Berkman" <jberkman at novell.com> writes:

> Hello,
>
> I've attached a patch to gnutls which adds a callback for the signing
> step of certificate-based authentication.  This was needed because
> some smart card policies do not allow private keys to be read/exported
> from them.  They implement signing directly on the card.
>
> With this patch, the application can return a NULL private key, and if
> they implement the signing callback, can sign the data themselves.
>
> I developed this patch against gnutls 1.4.4, but it patches and builds
> cleanly against 1.7.7.  Please let me know if any changes are
> required.
>
> Thanks,
>  -- jacob
>
>
> _______________________________________________
> Gnutls-dev mailing list
> Gnutls-dev at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-dev



More information about the Gnutls-dev mailing list