[gnutls-dev] RFC: PKCS#11 plans

Simon Josefsson simon at josefsson.org
Tue Apr 24 18:24:40 CEST 2007

ludovic.courtes at laas.fr (Ludovic Courtès) writes:

>> Yeah, but it turned out that gpg-agent cannot support this, since it
>> is not possible to get user certificates from it.
> You mean OpenPGP public key certificates, right?

No, the X.509 user certificates for OpenPGP cards (the card essentially
only contain the RSA key in this situation).  They are not stored on the
smartcard, but rather inside 'gpgsm'.

> If so, can't we tweak the GnuPG people into changing `gnupg-agent' to
> support this?  :-)

Werner said recently on gnupg-users that it would violate the design to
make gnupg-agent be aware of gpgsm and X.509, so I think we've tried and
failed that approach.

Anyway, supporting PKCS#11 will allow us to use Scute, which talks to
gpg-agent, scdaemon and gpgsm.

> As Alon said, it seems that there would be great value into sharing such
> mechanisms among several projects.  Since GnuTLS and GnuPG are
> "siblings" within the GNU Project, it'd make sense to try and find
> solutions suitable to both.

Yup.  However, even if gpg-agent would be changed to support this, I
think it would be useful for GnuTLS to support PKCS#11 too.  After
thinking about it, I don't think it is important to change gpg-agent.  I
no longer think changing it would be a good idea.

Of course, if gpg-agent turns into a PKCS#11 proxy, and can support
loading any PKCS#11 provider and use it for signing etc, then having
GnuTLS speak to it would be one solution.

Btw, the status of my work is that I'm able to read out the certificate
and sign things via Scute, inside GnuTLS.  What remains to be done is to
fix GnuTLS to keep a user certificate without a private key, and to
off-load the signing operation back to the PKCS#11 provider.  I intend
to post step-by-step instructions to connect to test.gnutls.org using a
smartcard within a week or so.

My PKCS#11-fu is weak, but at least it seems quite feasible to support
Scute in GnuTLS.  I don't know how to handle PKCS#11 providers that
needs PINs etc.  Scute fortunately takes care of all such things
internally.  My main goal is to make Scute work, and possibly also
support the Mozilla soft tokens to get their CAs and user credentials.
When the Seahorse stuff is finished, supporting that is also important.
Other PKCS#11 providers, in particular any PKCS#11 plugin that is not
GPL-compatible, is not important to me unless someone financially
sponsor such work.


More information about the Gnutls-devel mailing list