[gnutls-dev] [RFC] gnutls-pkcs11

Alon Bar-Lev alon.barlev at gmail.com
Sat Aug 18 14:04:14 CEST 2007

Hello all,

I would like to receive some input regarding gnutls-pkcs11 API.



As I am not gnutls developer, I may have done something against the conventions.

The main issues PKCS#11 implementation should handle are:

1. Support many variant of PKCS#11 providers' implementations

To allow this I added a generic (unimplemented yet) params string to
initialization and provider addition.

The format would be name=value;name=value;

2. Support many providers at the same time.

Most (large) user installation have many types of providers, allowing
application to work with all without difference is important.

3. Access to token is not guarantee

Even if the token was available at session establishment, it may not
be available later on. We should have a way to prompt the user to
insert his token when required.

4. Passphrase management

Unlike files, token may require passphrase several times during a
session, for example if it is removed and insert or it has internal

5. Identity serialization

When certificate is requested, we may have or may not have the
required token in the reader.
But in order to allow people to select a specific certificate to a
specific session, we should be able to serialize the identity so that
it can be used in later transactions.

So we end up with new type: gnutls_pkcs11_certificate_t.

When x509 certificate is needed you can:
gnutls_pkcs11_get_crt (pkcs11_cert, &x509)

Best Regards,
Alon Bar-Lev.

More information about the Gnutls-devel mailing list