[gnutls-devel] plans for plugin support?
benedikt.knoppix at web.de
Tue Jun 2 17:52:13 CEST 2015
>>> For symmetric key algorithms we support cryptodev (i.e., /dev/crypto)
>>> on systems that support it. Are there any other plugin mechanisms you
>>> are interested at?
>> If I understand this correctly /dev/crypto is a kernel device. I am more
>> interested in /lib/accelerated, because the external provider does not
>> use /dev/crypto.
>> I could write my code in a module under /lib/accelerated. However my
>> code needs to call dlopen(), because the only right way  to enable
>> the external provider is through another library.
>> Is this something you would accept?
> What API does that module provide? If it is PKCS #11 or some other
> standardized API that would be indeed quite interesting.
Thanks for the pointer with PKCS #11.
The module does provide a native crypto API and a PKCS #11 API (over a
meta PKCS #11 library). The problem with the PKCS #11 API is that the
crypto operations are not as fast as over the native crypto API . I will
test if this API is fast enough for my need  or if the native crypto
API should be used.
>> However this would not solve the problem that an application can not
>> change the crypto backend to another provider. I would still prefer a
>> plugin concept, where an application (or GnuTLS for the application) can
>> load a shared object, that setups the external provider. This would give
>> the maximum flexibility.
> For asymmetric keys this flexibility is currently available, so your
> argument is about symmetric algorithm if I understand correctly. Let's
> first settle on what module API we are talking about and then we see
> (because if for example this is about a PKCS #11 API we can have this
> flexibility using p11-kit again).
The module does support asymmetric and symmetric operations over the
PKCS #11 API:
p11tool --list-mechanism "pkcs11:myModule"
(I have removed all unknown mechanisms that p11tool does not recognise)
I have tried to generate a RSA key with p11tool, but this causes a PKCS
p11tool --login --generate-rsa --bits 1024 --label "MyNewKey" --outfile
Token 'MYToken' with URL 'MyModule' requires user PIN
Error in pkcs11_generate:505: PKCS #11 error.
I will try to debug this further tomorrow.
: It should still be faster then the software implementation of GnuTLS.
More information about the Gnutls-devel