[gnutls-dev] [RFC] gnutls-pkcs11

Simon Josefsson simon at josefsson.org
Sat Aug 18 18:57:40 CEST 2007


"Alon Bar-Lev" <alon.barlev at gmail.com> writes:

> Hello all,
>
> I would like to receive some input regarding gnutls-pkcs11 API.
>
> Source:
> http://alon.barlev.googlepages.com/gnutls-pkcs11-0.02.tar.bz2
>
> Doc:
> http://alon.barlev.googlepages.com/gnutls-pkcs11-doc-0.02.tar.bz2
>
> As I am not gnutls developer, I may have done something against the
> conventions.

I think I have identified one problem.  How do you handle multiple
certificates/keys?  In the callback, you don't appear to inspect the
cert variable, and thus your code cannot know which certificate GnuTLS
want to use for signing.

That is, if I'm reading the code correctly.  I just looked briefly.

Consider the following scenario: the user has two certificates with one
private keys for each.  The certificates are stored in GnuTLS using
normal APIs (i.e., gnutls_certificate_set_x509_key_mem with NULL keys).
GnuTLS will select the appropriate user cert (one of the two certs) to
use against each server, depending on the CA list received from the
server.  The certificate (which uniquely identify the private) to use
for signing is passed in the 'cert' parameter to the sign_callback
function.  The callback need to locate the private key in the PKCS#11
backend(s) that match that user certificate, and use that key for
signing.

Otherwise I don't see any issues.

/Simon




More information about the Gnutls-devel mailing list