[gnutls-dev] sign callback for certificate authentication

Simon Josefsson simon at josefsson.org
Fri May 11 15:48:36 CEST 2007


"Alon Bar-Lev" <alon.barlev at gmail.com> writes:

> Hello Simon,
>
> Can you please clean up the branch removing the scote requirement and
> PKCS#11 implementation, leaving only the engine callbacks so I can
> work on this?

Hi.  I'm making Scute an optional dependency on the branch now.

> BTW: Your API need to allow adding user data pointer so that callbacks
> will be able to access some private data.
>
> Ludovic already suggested this at:
> http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001434.html
> And I already suggested it at:
> http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001557.html

I've added this too.

> BTW2: You should add cleanup callback, so that resources can be
> released on session end.
> http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001557.html

This seem to be bloat to me, since it offers no additional
functionality.  Applications can cleanup resources when they deinit the
particular GnuTLS session that uses the sign callback, can they not?

> We can discuss the API before you start implementation, so if you
> provide the prototypes before implementation it will allow reduce
> efforts.

I'm considering to change the APIs (see below), so I didn't want to
spend time discussing the changes for the next release now (otherwise I
wouldn't have time to release it today).

When I have time to write down my ideas about the changes that are
necessary -- the sign callback should be set per
gnutls_certificate_credential_t and not per session -- we can discuss
the new API.  However, I'm going to be busy for about 10 days so nothing
will happen until after that.

What should be possible for you with the upcoming p11.2 release is to
write a PKCS#11 interface that can be invoked via the sign callback.  I
hope that you will be able to test signing via the callback and some
PKCS#11 provider that you have until I come back.  Then we your
experience and the new API, finalize it and bring it back into the 1.7.x
branch.

Thanks,
Simon

> Best Regards,
> Alon Bar-Lev.
>
> On 5/8/07, Simon Josefsson <simon at josefsson.org> wrote:
>> Hi again.  I just realized that the work I'm doing on the PKCS#11 branch
>> is rather similar to what you provided a patch for here.  The code is
>> different from yours, but let me what you think and if you can test it:
>>
>> http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2006
>>
>> I intend to move the external-signing callback API back into the 1.7.x
>> branch as soon as possible, because it looks rather safe.  I'm not sure
>> about our PKCS#11 interface library.  Alon Bar-Lev's comments indicate
>> that it may be better if we stay out of providing tighter PKCS#11
>> integration and leave that to him and others to work on.  I'd be happy
>> with that, since I personally think the PKCS#11 interface is too complex
>> to inspire good confidence in implementations of it.  Still, making it
>> easy to use OpenPGP cards is an important use-case for me.
>>
>> /Simon
>>
>> "Jacob Berkman" <jberkman at novell.com> writes:
>>
>> > Hello,
>> >
>> > I've attached a patch to gnutls which adds a callback for the signing
>> > step of certificate-based authentication.  This was needed because
>> > some smart card policies do not allow private keys to be read/exported
>> > from them.  They implement signing directly on the card.
>> >
>> > With this patch, the application can return a NULL private key, and if
>> > they implement the signing callback, can sign the data themselves.
>> >
>> > I developed this patch against gnutls 1.4.4, but it patches and builds
>> > cleanly against 1.7.7.  Please let me know if any changes are
>> > required.
>> >
>> > Thanks,
>> >  -- jacob
>> >
>> >
>> > _______________________________________________
>> > Gnutls-dev mailing list
>> > Gnutls-dev at gnupg.org
>> > http://lists.gnupg.org/mailman/listinfo/gnutls-dev
>>
>> _______________________________________________
>> Gnutls-dev mailing list
>> Gnutls-dev at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnutls-dev
>>




More information about the Gnutls-dev mailing list