[gnutls-dev] GnuTLS 1.7.8.p11.0
Simon Josefsson
simon at josefsson.org
Mon May 7 10:27:25 CEST 2007
"Alon Bar-Lev" <alon.barlev at gmail.com> writes:
> On 5/4/07, Simon Josefsson <simon at josefsson.org> wrote:
>> I don't understand this. It seems to me that anyone who can make the
>> PKCS#11 provider give GnuTLS an insecure CA cert can also provide GnuTLS
>> directly with a insecure CA cert.
>>
>> Could you describe how the attack would work?
>
> You insert your token in my computer, I put my own self-signed
> certificate as trusted in your token, then you come back to your token
> and work with my fake TLS server side certificate.
Oh, I see. Are there smart cards out there that doesn't require an
admin-PIN in order to do that? Maybe it would be good to document this
somewhere, it seems like a good thing to know before buying such
products.
If this is the case, I'll add documentation for
gnutls_pkcs11_get_ca_certificates:
* Note that there exists PKCS#11 providers that allow users to add
* trusted CA certificates to the underlying crypto storage. Thus, an
* attacker could, if they can access your smart card, install a new
* trusted CA on your smart card, and then cause this function to
* return their CA. Be aware of this threat when using this function
* in your application.
>> I don't know how to solve this yet. If you want to work on it, that
>> could help, although right now I just want to get client-PKI via the
>> OpenPGP smart card to work, and that's my main priority.
>
> Well... I see we are not communicating well... So I say this last time
> and I say this clearly.
>
> I offer you the quickest way to achieve your goal.
> Split the work into two parts, one part is the GnuTLS infrastructure
> missing external private key implementation, the other is PKCS#11
> engine.
Well, as I've tried to explain, that is what I'm working on. What may
be confusing is that I'm _also_ working on an optional libgnutls-pkcs11
that links to Scute. That is written for testing purpose, since the
only smart card I have is an OpenPGP smart card, and I've decided that
my goal for this project is to make OpenPGP cards work with
client-authenticated connections (and I chose PKCS#11 to do that).
Hopefully the signing infrastructure will be released within a few
weeks, and then you can try it...
/Simon
More information about the Gnutls-devel
mailing list