[gnutls-dev] sign callback for certificate authentication

Alon Bar-Lev alon.barlev at gmail.com
Tue May 8 21:55:05 CEST 2007 

Hello Simon,

Can you please clean up the branch removing the scote requirement and
PKCS#11 implementation, leaving only the engine callbacks so I can
work on this?

BTW: Your API need to allow adding user data pointer so that callbacks
will be able to access some private data.

Ludovic already suggested this at:
http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001434.html
And I already suggested it at:
http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001557.html

BTW2: You should add cleanup callback, so that resources can be
released on session end.
http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001557.html

We can discuss the API before you start implementation, so if you
provide the prototypes before implementation it will allow reduce
efforts.

Best Regards,
Alon Bar-Lev.

On 5/8/07, Simon Josefsson <simon at josefsson.org> wrote:
> Hi again.  I just realized that the work I'm doing on the PKCS#11 branch
> is rather similar to what you provided a patch for here.  The code is
> different from yours, but let me what you think and if you can test it:
>
> http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2006
>
> I intend to move the external-signing callback API back into the 1.7.x
> branch as soon as possible, because it looks rather safe.  I'm not sure
> about our PKCS#11 interface library.  Alon Bar-Lev's comments indicate
> that it may be better if we stay out of providing tighter PKCS#11
> integration and leave that to him and others to work on.  I'd be happy
> with that, since I personally think the PKCS#11 interface is too complex
> to inspire good confidence in implementations of it.  Still, making it
> easy to use OpenPGP cards is an important use-case for me.
>
> /Simon
>
> "Jacob Berkman" <jberkman at novell.com> writes:
>
> > Hello,
> >
> > I've attached a patch to gnutls which adds a callback for the signing
> > step of certificate-based authentication.  This was needed because
> > some smart card policies do not allow private keys to be read/exported
> > from them.  They implement signing directly on the card.
> >
> > With this patch, the application can return a NULL private key, and if
> > they implement the signing callback, can sign the data themselves.
> >
> > I developed this patch against gnutls 1.4.4, but it patches and builds
> > cleanly against 1.7.7.  Please let me know if any changes are
> > required.
> >
> > Thanks,
> >  -- jacob
> >
> >
> > _______________________________________________
> > Gnutls-dev mailing list
> > Gnutls-dev at gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnutls-dev
>
> _______________________________________________
> Gnutls-dev mailing list
> Gnutls-dev at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-dev
>

More information about the Gnutls-devel mailing list