[Help-gnutls] Re: OpenSC and GnuTLS

[Simon Josefsson]

Daniel Kahn Gillmor <dkg-debian.org at fifthhorseman.net> writes:

> On Fri 2007-05-04 08:18:18 -0400, Simon Josefsson wrote:
>
>> If you can point to a PKCS#11 provider for your card, I can see if I
>> can make GnuTLS support linking to it -- I probably can't test it
>> myself though.
>
> on debian lenny (and probably etch too), the libopensc2 package
> provides /usr/lib/opensc-pkcs11.so:
>
>    http://packages.qa.debian.org/o/opensc.html
>
> is that what you're looking for?  i confess i still don't know enough
> about how the smartcard infrastructure works.  But if you can get
> opensc to work, i think you'll enable many more cards than just the
> eGate that i'm using.

Yup.

That library appear to be linked with non-GPL compatible libraries
(OpenSSL), though, so it may not be possible to distribute anything that
support this approach.  But using it to test my PKCS#11 implementation
would still be possible.

Another thing that would be useful is if I can figure out how to link to
NSS's soft token PKCS#11 library.

> If that's not what you're looking for, give me more details, and i'll
> try to find someting more appropriate.

What I don't know is how to link to it... Removing '-lscute' and adding
'/usr/lib/opensc-pkcs11.so' links fine:

jas at mocca:~/src/gnutls-pkcs11/pkcs11$ /bin/sh ../libtool --tag=CC   --mode=link gcc -std=gnu99  -D_REENTRANT -D_THREAD_SAFE -g -Wall -Wcast-align -W -Wpointer-arith -Wchar-subscripts -Wformat-security -Wno-format-y2k -Wmissing-braces -Winline -Wstrict-prototypes -Wno-unused-parameter -Wno-pointer-sign -pipe -I/usr/local/include  -I/usr/local/include -no-undefined -version-info 21:1:8 -L/usr/local/lib -lassuan -L/usr/local/lib -lgpg-error -R/usr/local/lib  -o libgnutls-pkcs11.la -rpath /usr/local/lib gnutls_pkcs11.lo ../lib/libgnutls.la /usr/lib/opensc-pkcs11.so
rm -fr  .libs/libgnutls-pkcs11.a .libs/libgnutls-pkcs11.la .libs/libgnutls-pkcs11.lai .libs/libgnutls-pkcs11.so .libs/libgnutls-pkcs11.so.13 .libs/libgnutls-pkcs11.so.13.8.1
gcc -std=gnu99 -shared  .libs/gnutls_pkcs11.o  -Wl,--rpath -Wl,/usr/local/lib -Wl,--rpath -Wl,/home/jas/src/gnutls-pkcs11/lib/.libs -Wl,--rpath -Wl,/usr/local/lib -L/usr/local/lib -lassuan /usr/local/lib/libgpg-error.so ../lib/.libs/libgnutls.so  -Wl,-soname -Wl,libgnutls-pkcs11.so.13 -o .libs/libgnutls-pkcs11.so.13.8.1
(cd .libs && rm -f libgnutls-pkcs11.so.13 && ln -s libgnutls-pkcs11.so.13.8.1 libgnutls-pkcs11.so.13)(cd .libs && rm -f libgnutls-pkcs11.so && ln -s libgnutls-pkcs11.so.13.8.1 libgnutls-pkcs11.so)
ar cru .libs/libgnutls-pkcs11.a  gnutls_pkcs11.o
ranlib .libs/libgnutls-pkcs11.a
creating libgnutls-pkcs11.la
(cd .libs && rm -f libgnutls-pkcs11.la && ln -s ../libgnutls-pkcs11.la
libgnutls-pkcs11.la)

However, for some reason, the opensc-pkcs11 library doesn't get pulled
in:

jas at mocca:~/src/gnutls-pkcs11/pkcs11$ ldd .libs/libgnutls-pkcs11.so
        linux-gate.so.1 =>  (0xffffe000)
        libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0xb7fa0000)
        libgnutls.so.13 => /usr/local/lib/libgnutls.so.13 (0xb7f03000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7dc2000)
        libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7dac000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7d98000)
        libgcrypt.so.11 => /usr/local/lib/libgcrypt.so.11 (0xb7d47000)
        /lib/ld-linux.so.2 (0x80000000)
jas at mocca:~/src/gnutls-pkcs11/pkcs11$

So when I start gnutls-cli, it complains that C_Initialize (the PKCS#11
init function) is not available, which is correct.

Perhaps opensc-pkcs11.so needs to be dlopen()'d, or something else is
needed.

/Simon