[gnutls-dev] sign callback for certificate authentication

Simon Josefsson simon at josefsson.org
Tue Apr 10 12:01:33 CEST 2007


"Jacob Berkman" <jberkman at novell.com> writes:

> Hello,
>
> I've attached a patch to gnutls which adds a callback for the signing
> step of certificate-based authentication.  This was needed because
> some smart card policies do not allow private keys to be read/exported
> from them.  They implement signing directly on the card.
>
> With this patch, the application can return a NULL private key, and if
> they implement the signing callback, can sign the data themselves.
>
> I developed this patch against gnutls 1.4.4, but it patches and builds
> cleanly against 1.7.7.  Please let me know if any changes are
> required.

Hi!  This seems quite useful.  Ultimately, we probably should support
protocols like PKCS#11 to externalize the signing requests, and I have
been planning to work on this.  It may be that your APIs need to
modified slightly to better integrate with that.  Anyway, I'm rather
busy now, and won't be able to work on the PKCS#11 stuff in the next
1-2 weeks.  If your patch works now, we should install it rather than
wait.  To be able to install your patch, however, we need an
assignment of the copyright to the FSF.  Is this a problem?  Let me
know privately and I'll send it to you.

/Simon




More information about the Gnutls-devel mailing list