[gnutls-dev] sign callback for certificate authentication
Alon Bar-Lev
alon.barlev at gmail.com
Fri May 11 19:38:06 CEST 2007
On 5/11/07, Simon Josefsson <simon at josefsson.org> wrote:
> Hi. I'm making Scute an optional dependency on the branch now.
OK.
Just reference me to the place I can sync your modifications.
> > BTW: Your API need to allow adding user data pointer so that callbacks
> > will be able to access some private data.
> I've added this too.
Great!
> > BTW2: You should add cleanup callback, so that resources can be
> > released on session end.
> > http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001557.html
>
> This seem to be bloat to me, since it offers no additional
> functionality. Applications can cleanup resources when they deinit the
> particular GnuTLS session that uses the sign callback, can they not?
We would like to add a layer for application to use...
So except get certificate/credentials/whatever, the layer should be
able to free its resources.
So if we put this at gnutls_certificate_credentials_t we should have
gnutls_certificate_free_credentials() call callback cleanup so that
resources may be released.
So that user code will look like:
gnutls_pkcs11_set_certificate (gnutls_certificate_credentials_t *cred, <id>)
And that's it!
provider code will register sign callback, put certificate and
register clean callback.
> I'm considering to change the APIs (see below), so I didn't want to
> spend time discussing the changes for the next release now (otherwise I
> wouldn't have time to release it today).
>
> When I have time to write down my ideas about the changes that are
> necessary -- the sign callback should be set per
> gnutls_certificate_credential_t and not per session -- we can discuss
> the new API. However, I'm going to be busy for about 10 days so nothing
> will happen until after that.
>
> What should be possible for you with the upcoming p11.2 release is to
> write a PKCS#11 interface that can be invoked via the sign callback. I
> hope that you will be able to test signing via the callback and some
> PKCS#11 provider that you have until I come back. Then we your
> experience and the new API, finalize it and bring it back into the 1.7.x
> branch.
Thanks!
Alon.
More information about the Gnutls-devel
mailing list