[gnutls-dev] sign callback for certificate authentication
Simon Josefsson
simon at josefsson.org
Tue May 8 12:37:04 CEST 2007
Hi again. I just realized that the work I'm doing on the PKCS#11 branch
is rather similar to what you provided a patch for here. The code is
different from yours, but let me what you think and if you can test it:
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2006
I intend to move the external-signing callback API back into the 1.7.x
branch as soon as possible, because it looks rather safe. I'm not sure
about our PKCS#11 interface library. Alon Bar-Lev's comments indicate
that it may be better if we stay out of providing tighter PKCS#11
integration and leave that to him and others to work on. I'd be happy
with that, since I personally think the PKCS#11 interface is too complex
to inspire good confidence in implementations of it. Still, making it
easy to use OpenPGP cards is an important use-case for me.
/Simon
"Jacob Berkman" <jberkman at novell.com> writes:
> Hello,
>
> I've attached a patch to gnutls which adds a callback for the signing
> step of certificate-based authentication. This was needed because
> some smart card policies do not allow private keys to be read/exported
> from them. They implement signing directly on the card.
>
> With this patch, the application can return a NULL private key, and if
> they implement the signing callback, can sign the data themselves.
>
> I developed this patch against gnutls 1.4.4, but it patches and builds
> cleanly against 1.7.7. Please let me know if any changes are
> required.
>
> Thanks,
> -- jacob
>
>
> _______________________________________________
> Gnutls-dev mailing list
> Gnutls-dev at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-dev
More information about the Gnutls-devel
mailing list