[gnutls-help] Using TPM with PKCS#11 applications

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Dec 5 18:19:51 CET 2013

On Thu, Dec 5, 2013 at 5:45 PM, Thomas Habets <thomas at habets.se> wrote:

>>> and GnuTLS supports *using* PKCS#11, but doesn't support
>>> being used as a PKCS#11 provider. Is that right?
>> No. GnuTLS doesn't provide a PKCS #11 module.
> I'm not sure if you misread what I wrote. What do you mean by "PKCS #11 module"?

A .so library that provides the PKCS #11 interface.

> It looks on this illustration like it can interface with PKCS#11
> providers at least:
>   http://www.gnutls.org/manual/html_node/Smart-cards-and-HSMs.html
> but I don't see evidence of being able to act as a PKCS#11 provider.

Indeed, it can read from other providers, but itself is not one. If I
understood correctly, gnome-keyring may be closer to what you're
looking for - https://wiki.gnome.org/Projects/GnomeKeyring/Architecture.
I don't know the status of its TPM support though.

>> The trousers library provides a PKCS #11 front-end. I've never managed
>> to set it up though.
> Do you mean libopencryptoki.so? I've deliberately chosen not to use
> that one for various reasons.

Would you mind sharing them?


More information about the Gnutls-help mailing list