gnutls with pkcs
Simon Josefsson
simon at josefsson.org
Tue Feb 26 18:14:43 CET 2008
Pavlov Konstantin <thresh at altlinux.ru> writes:
> Hello, what's the current status of PKCS support in GnuTLS?
>
> 1.7 branch
> (http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=shortlog;h=gnutls_1_7_14_with_pkcs11)
> seems being abandoned.
The following APIs where pulled into the stable release based on that
branch:
typedef int (*gnutls_sign_func) (gnutls_session_t session,
void *userdata,
gnutls_certificate_type_t cert_type,
const gnutls_datum_t * cert,
const gnutls_datum_t * hash,
gnutls_datum_t * signature);
void gnutls_sign_callback_set (gnutls_session_t session,
gnutls_sign_func sign_func,
void *userdata);
gnutls_sign_func
gnutls_sign_callback_get (gnutls_session_t session,
void **userdata);
Those API allows you to connect GnuTLS with any PKCS#11 mechanism, but
you need to do the PKCS11 glue work.
The gnutls-pkcs11 library that did the glue work is not included with
GnuTLS today. The reason is that libgnutls-pkcs11 is linked to Scute at
compile-time. That works fine if you want to use OpenPGP cards, but if
you want to use another PKCS#11 mechanism, you have to recompile the
library. That wasn't very flexible, and it didn't feel finished enough
to include in the stable branch.
Possibly the library could use dlopen instead, opening a library
requested by the application.
Does this answer the question?
Are you interested in seeing the gnutls-pkcs11 library merged? We could
look into what it would take to dlopen some library that the application
requested.
/Simon
More information about the Gnutls-devel
mailing list