request for comments: PKCS #11

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Jun 9 13:47:25 CEST 2010


Hello,
 I sent this to you because you have previously expressed your
interest on PKCS #11 support in gnutls or you have already implement
it (in that case I have taken ideas already from you), or I'd be
interested in your comments.  I have added PKCS #11 support in gnutls
and I would like your comments and ideas. The basic functionality
supported is reading public and private keys (as well as
certificates), using private keys for operations and storing private
keys and certificates to tokens (smart cards etc). To reference any
objects I used PKCS #11 URLs as specified in
http://tools.ietf.org/html/draft-pechanec-pkcs11uri-01.  This has the
advantage that all existing applications that use the gnutls functions
to load keys/certificates will be able to use pkcs11 urls
transparently. For example I can use gnutls-cli with a certificate and
private key residing in my smart card, and use the trusted certificate
list in gnome-keyring for verification.

The current API can be found at:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=lib/includes/gnutls/pkcs11.h;h=22850d09788913f121145fd38404fd69cd8a37ce;hb=HEAD

API for abstract data types that handle private and public keys either
in PCKS #11 or in gnutls_x509_* format.
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=lib/includes/gnutls/abstract.h;h=77e7994a5e87c4d1d2e95b0d8dfac4c8e9d223b5;hb=HEAD

And some text describing it is at (sorry it is raw .texi for now):
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=doc/cha-cert-auth.texi;h=68999e1d80efc47ba12a490510a708b7cc0fee88;hb=HEAD#l322
as well as an image on how I think it will be used:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=doc/pkcs11-vision.png;h=15c14f4e39ff6acb0a46124e626a356ef2f1a0fa;hb=HEAD

regards,
Nikos




More information about the Gnutls-devel mailing list