[gnutls-dev] GnuTLS PKCS#11 Engine

Simon Josefsson simon at josefsson.org
Mon May 14 13:23:36 CEST 2007 

"Alon Bar-Lev" <alon.barlev at gmail.com> writes:

> On 5/14/07, Simon Josefsson <simon at josefsson.org> wrote:
>> It doesn't seem to work.  Here is what happens.  Any ideas?
>
> Yes...
> It seems that it forks.
> After fork, I must call C_Initialize/C_Finalize again to cleanup state
> in child. This is part of PKCS#11 spec.
> Nobody thought about a provider that doing fork()... :)
> So I guess scote should have somekind of recursion protection on
> C_Initialize/C_Finalize and also have reference counter so that
> multiple call of C_Initialize will be allowed.

I suppose this is just PKCS#11 internal stuff, and I hope you will solve
it.  If I can assist in testing anything, let me know.

>> One concern I have is any OpenSSL dependency.
>
> Can you please explain...?
> There is none.

pkcs11-helper seem to link to OpenSSL by default.  As far as I
understand, distributions cannot distribute packages that links
pkcs11-helper together with gnutls via your gnutls-pkcs11 legally.
Perhaps gnutls and/or gnutls-pkcs11 could check whether pkcs11-helper
picks up OpenSSL, and if so, emit an error message.

>> Another concern is that I would like GnuTLS to include some native
>> PKCS#11 interface, to support the OpenPGP card, GNOME Seahorse, and
>> possibly NSS's provider directly.  I think it doesn't make sense for
>> GnuTLS to handle pin's etc.  I think GnuTLS should assume the PKCS#11
>> provider takes care of PIN entry internally.  (Although I don't know how
>> the NSS provider works.)  I don't yet know how this is best implemented.
>> Including a copy of pkcs11-helper and your gnutls-pkcs11 library
>> (assuming the copyright and license situation is suitable) is a
>> possibility.
>
> Why not just maintain it as sepearate component?
> What is the benafit in maintaining one large library?

They are separate components, see the pkcs11-branch: there is a
standalone libgnutls-pkcs11 library (see the top-level pkcs11/
directory) that provides a simple PKCS#11 interface to Scute via the
header gnutls/pkcs11.h.  Applications can chose to implement the sign
callback using GnuTLS's pkcs11 library, but then they'll have to link to
it, or your library, or some other library (that may use CAPI or
whatever).

/Simon

More information about the Gnutls-devel mailing list