[gnutls-dev] gnome-keyring PKCS#11 provider implemented

Alon Bar-Lev alon.barlev at gmail.com
Tue Dec 4 12:52:30 CET 2007 

On 12/3/07, Stef Walter <stef-list at memberwebs.com> wrote:
> My email to gnutls-dev didn't seem to make it there, but I figured you
> guys would be interested in this:
>
>
> It took longer than I initially thought, but gnome-keyring now has a
> working  PKCS#11 provider. It supports with RSA and DSA keys,
> certificates etc. and integrates them with the user's login keyring.
>
> Some details:
> http://live.gnome.org/GnomeKeyring/CertificatesKeys
> http://live.gnome.org/GnomeKeyring/ApplicationSetup
> http://live.gnome.org/GnomeKeyring
>
> Implementation notes:
> http://live.gnome.org/GnomeKeyring/Cryptoki
>
> The gnome-keyring PKCS#11 provider is probably a bit young and naive,
> and I'd like to make sure that it works with GnuTLS.
>
> In fact I'd be overjoyed if someone with more crypto knowledge than me
> took a look and made sure it's doing things correctly.
>
> The code is in the SVN trunk of gnome-keyring (slated for GNOME 2.22):
> http://svn.gnome.org/svn/gnome-keyring/trunk/
>
> Cheers,
> Stef Walter
>
>

These are great news!

You can use the test program of gnutls-pkcs11 to test if it works with GnuTLS:
http://alon.barlev.googlepages.com/gnutls-pkcs11

This requires pkcs11-helper dependency from:
http://www.opensc-project.org/pkcs11-helper
Be sure to configure this with --enable-crypto-engine-gnutls

You can run the test program:
src/gnutls-pkcs11-cli --add-provider=@@PROVIDER@@ --cmd=ids
src/gnutls-pkcs11-cli --add-provider=/usr/lib/pkcs11/libasepkcs.so
--cmd=connect --pkcs11-id='@@PKCS#11 ID@@' --host=localhost --port=443

You can test this with some of my other solutions, you can use it with
OpenSSH, OpenVPN, eCryptfs, gnupg-pkcs11-scd, these are compete
applications, so it would be easier.

References:
http://alon.barlev.googlepages.com/open-source

I currently support only RSA based keys. I've never seen (touched) a
token that supports DSA... :)
But I will be happy to extend this to DSA as well.

I also appreciate if you can send me the output of:
pkcs11-dump info @@PROVIDER@@
pkcs11-dump slotlist @@PROVIDER@@
pkcs11-dump dump @@PROVIDER@@ @@SLOT@@ @@PIN@@

pkcs11-dump available from:
http://alon.barlev.googlepages.com/pkcs11-utilities

Best Regards,
Alon Bar-Lev.

More information about the Gnutls-devel mailing list