[gnutls-dev] sign callback for certificate authentication

Alon Bar-Lev alon.barlev at gmail.com
Tue May 8 21:55:05 CEST 2007

Hello Simon,

Can you please clean up the branch removing the scote requirement and
PKCS#11 implementation, leaving only the engine callbacks so I can
work on this?

BTW: Your API need to allow adding user data pointer so that callbacks
will be able to access some private data.

Ludovic already suggested this at:
And I already suggested it at:

BTW2: You should add cleanup callback, so that resources can be
released on session end.

We can discuss the API before you start implementation, so if you
provide the prototypes before implementation it will allow reduce

Best Regards,
Alon Bar-Lev.

On 5/8/07, Simon Josefsson <simon at josefsson.org> wrote:
> Hi again.  I just realized that the work I'm doing on the PKCS#11 branch
> is rather similar to what you provided a patch for here.  The code is
> different from yours, but let me what you think and if you can test it:
> http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2006
> I intend to move the external-signing callback API back into the 1.7.x
> branch as soon as possible, because it looks rather safe.  I'm not sure
> about our PKCS#11 interface library.  Alon Bar-Lev's comments indicate
> that it may be better if we stay out of providing tighter PKCS#11
> integration and leave that to him and others to work on.  I'd be happy
> with that, since I personally think the PKCS#11 interface is too complex
> to inspire good confidence in implementations of it.  Still, making it
> easy to use OpenPGP cards is an important use-case for me.
> /Simon
> "Jacob Berkman" <jberkman at novell.com> writes:
> > Hello,
> >
> > I've attached a patch to gnutls which adds a callback for the signing
> > step of certificate-based authentication.  This was needed because
> > some smart card policies do not allow private keys to be read/exported
> > from them.  They implement signing directly on the card.
> >
> > With this patch, the application can return a NULL private key, and if
> > they implement the signing callback, can sign the data themselves.
> >
> > I developed this patch against gnutls 1.4.4, but it patches and builds
> > cleanly against 1.7.7.  Please let me know if any changes are
> > required.
> >
> > Thanks,
> >  -- jacob
> >
> >
> > _______________________________________________
> > Gnutls-dev mailing list
> > Gnutls-dev at gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnutls-dev
> _______________________________________________
> Gnutls-dev mailing list
> Gnutls-dev at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-dev

More information about the Gnutls-devel mailing list