[gnutls-devel] plans for plugin support?

Benedikt Klotz benedikt.knoppix at web.de
Tue Jun 2 17:52:13 CEST 2015

Hi Nikos,

>>> For symmetric key algorithms we support cryptodev (i.e., /dev/crypto)
>>> on systems that support it. Are there any other plugin mechanisms you
>>> are interested at?
>> If I understand this correctly /dev/crypto is a kernel device. I am more
>> interested in /lib/accelerated, because the external provider does not
>> use /dev/crypto.
>> I could write my code in a module under /lib/accelerated. However my
>> code needs to call dlopen(), because the only right way [3] to enable
>> the external provider is through another library.
>> Is this something you would accept?
> What API does that module provide? If it is PKCS #11 or some other
> standardized API that would be indeed quite interesting.

Thanks for the pointer with PKCS #11.

The module does provide a native crypto API and a PKCS #11 API (over a
meta PKCS #11 library). The problem with the PKCS #11 API is that the
crypto operations are not as fast as over the native crypto API . I will
test if this API is fast enough for my need [1] or if the native crypto
API should be used.
>> However this would not solve the problem that an application can not
>> change the crypto backend to another provider. I would still prefer a
>> plugin concept, where an application (or GnuTLS for the application) can
>> load a shared object, that setups the external provider. This would give
>> the maximum flexibility. 
> For asymmetric keys this flexibility is currently available, so your
> argument is about symmetric algorithm if I understand correctly. Let's
> first settle on what module API we are talking about and then we see
> (because if for example this is about a PKCS #11 API we can have this
> flexibility using p11-kit again).

The module does support asymmetric and symmetric operations over the

p11tool --list-mechanism "pkcs11:myModule"

[0x0001] CKM_RSA_PKCS
[0x0003] CKM_RSA_X_509
[0x0005] CKM_MD5_RSA_PKCS
[0x0006] CKM_SHA1_RSA_PKCS
[0x0040] CKM_SHA256_RSA_PKCS
[0x0041] CKM_SHA384_RSA_PKCS
[0x0042] CKM_SHA512_RSA_PKCS
[0x0120] CKM_DES_KEY_GEN
[0x0121] CKM_DES_ECB
[0x0122] CKM_DES_CBC
[0x0125] CKM_DES_CBC_PAD
[0x0131] CKM_DES3_KEY_GEN
[0x0132] CKM_DES3_ECB
[0x0133] CKM_DES3_CBC
[0x0134] CKM_DES3_MAC
[0x0136] CKM_DES3_CBC_PAD
[0x0210] CKM_MD5
[0x0211] CKM_MD5_HMAC
[0x0220] CKM_SHA_1
[0x0221] CKM_SHA_1_HMAC
[0x0250] CKM_SHA256
[0x0251] CKM_SHA256_HMAC
[0x0260] CKM_SHA384
[0x0261] CKM_SHA384_HMAC
[0x0270] CKM_SHA512
[0x0271] CKM_SHA512_HMAC
[0x1080] CKM_AES_KEY_GEN
[0x1081] CKM_AES_ECB
[0x1082] CKM_AES_CBC
[0x1083] CKM_AES_MAC
[0x1085] CKM_AES_CBC_PAD

(I have removed all unknown mechanisms that p11tool does not recognise) 

I have tried to generate a RSA key with p11tool, but this causes a PKCS
#11 error:

p11tool --login --generate-rsa --bits 1024 --label "MyNewKey" --outfile
MyNewKey.pub "pkcs11:model=MyModule"
Token 'MYToken' with URL 'MyModule' requires user PIN
Enter PIN:
Error in pkcs11_generate:505: PKCS #11 error.

I will try to debug this further tomorrow.



[1]: It should still be faster then the software implementation of GnuTLS.

More information about the Gnutls-devel mailing list