[gnutls-dev] sign callback for certificate authentication

Alon Bar-Lev alon.barlev at gmail.com
Fri May 11 19:38:06 CEST 2007

On 5/11/07, Simon Josefsson <simon at josefsson.org> wrote:
> Hi.  I'm making Scute an optional dependency on the branch now.

Just reference me to the place I can sync your modifications.

> > BTW: Your API need to allow adding user data pointer so that callbacks
> > will be able to access some private data.
> I've added this too.


> > BTW2: You should add cleanup callback, so that resources can be
> > released on session end.
> > http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001557.html
> This seem to be bloat to me, since it offers no additional
> functionality.  Applications can cleanup resources when they deinit the
> particular GnuTLS session that uses the sign callback, can they not?

We would like to add a layer for application to use...
So except get certificate/credentials/whatever, the layer should be
able to free its resources.
So if we put this at gnutls_certificate_credentials_t we should have
gnutls_certificate_free_credentials() call callback cleanup so that
resources may be released.

So that user code will look like:
gnutls_pkcs11_set_certificate (gnutls_certificate_credentials_t *cred, <id>)

And that's it!

provider code will register sign callback, put certificate and
register clean callback.

> I'm considering to change the APIs (see below), so I didn't want to
> spend time discussing the changes for the next release now (otherwise I
> wouldn't have time to release it today).
> When I have time to write down my ideas about the changes that are
> necessary -- the sign callback should be set per
> gnutls_certificate_credential_t and not per session -- we can discuss
> the new API.  However, I'm going to be busy for about 10 days so nothing
> will happen until after that.
> What should be possible for you with the upcoming p11.2 release is to
> write a PKCS#11 interface that can be invoked via the sign callback.  I
> hope that you will be able to test signing via the callback and some
> PKCS#11 provider that you have until I come back.  Then we your
> experience and the new API, finalize it and bring it back into the 1.7.x
> branch.


More information about the Gnutls-devel mailing list