[gnutls-dev] Gnutls 1.7.8.p11.2

Simon Josefsson simon at josefsson.org
Fri May 11 16:08:32 CEST 2007

Here is the third release on the PKCS#11 branch.  This is only minor
fixes.  I'm thinking of changing the API so that the sign callback is
set on the credential and not on the session instead, which appears to
be cleaner API-wise.  I don't have time to implement that today, though,
and I won't have time to work on it more until Monday 21:th, but I
wanted to get this release out the door anyway.

The NEWS entry is:

* Version 1.7.8.p11.2 (released 2007-05-11)

** Make Scute dependency optional.
Suggested by Alon Bar-Lev.  When Scute is not found, gnutls-cli will
not support the PKCS#11 interface.

** Add void* parameter to sign callbacks.
Suggested by Ludovic Courtès and Alon Bar-Lev.  This changes the
get/set_sign callback APIs.

** Rename gnutls_set_sign_function to gnutls_x509_sign_callback_set,
** and gnutls_get_sign_function to gnutls_x509_sign_callback_set.
The functions are X.509 specific, and the name should reflect that.
Ideally, these callbacks function should be set in the
gnutls_certificate_credentials_t structure since there is where the
private key is set.  However, the implementation to do that is more

** API and ABI modifications:
gnutls_set_sign_function: REMOVED, renamed to gnutls_x509_sign_callback_set.
gnutls_x509_sign_callback_set: NEW, renamed from gnutls_set_sign_function.
gnutls_get_sign_function: REMOVED, renamed to gnutls_x509_sign_callback_get.
gnutls_x509_sign_callback_get: NEW, renamed from gnutls_get_sign_function.
gnutls_sign_func: CHANGED, added userdata type.

Warning!  This is even more experimental than the experimental 1.7.x
branch.  However, the changes compared to 1.7.8 are intentionally kept
minimal, to facilitate easy merging later on.

The support is limited to:

1) Optional support for build-time linking to the PKCS#11 provider
   scute, see http://www.scute.org/.

2) Retrieving trusted CA certificates from the PKCS#11 provider.  (If
scute is installed.)

3) Retrieving user certificates from the PKCS#11 provider.  (If scute is

4) Provide a callback to perform signing operations.

5) Provide an API to perform PKCS#11 signing via the PKCS#11 provider.

You can test the sign callback infrastructure separately, if you want to
implement your own PKCS#11 interface or similar.

To test the PKCS#11 integration, you'll need to build scute 1.1.0, and
set it up (try using it in mozilla), which requires some reading, see
the Scute manual.  I generated new keys on an OpenPGP smartcard with
gpg2 --edit-card and gpgsm-gencert.sh, then signed the CSR with certtool
using the GnuTLS test CA, and imported the certificates using 'gpgsm

If someone can explain to me how I can test other PKCS#11 providers, I
can test them too.  Supporting the NSS soft token provider is an
important target.

The gnutls-cli tool in this release automatically import all CAs from
Scute, and will load the user certificates too, and invoke Scute for
signing.  Here is an output from running it against the GnuTLS test

jas at mocca:~/src/gnutls-pkcs11$ ~/src/gnutls-pkcs11/src/gnutls-cli --port 5556 test.gnutls.org --ctypes x509
Resolving 'test.gnutls.org'...
Connecting to ''...
- Received authorization data, format 01 of 59 bytes
  data: 546869732069732074686520582e3530392041747472696275746520436572746966696361746520617574686f72697a6174696f6e20646174610a
- Received authorization data, format 02 of 46 bytes
  data: 54686973206973207468652053414d4c20617373657274696f6e20617574686f72697a6174696f6e20646174610a
- Successfully sent 1 certificate(s) to server.
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'test.gnutls.org'.
 # valid since: Wed Apr 18 15:29:21 CEST 2007
 # expires at: Thu Apr 17 15:29:21 CEST 2008
 # fingerprint: 08:8B:4B:0F:68:88:4E:95:15:D6:AC:F6:B3:64:81:5B
 # Subject's DN: O=GnuTLS test server,CN=test.gnutls.org
 # Issuer's DN: CN=GnuTLS test CA

- Peer's certificate is trusted
- Version: TLS 1.2
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- Compression: DEFLATE
- Handshake was completed

- Simple Client Mode:

GET / HTTP/1.1

HTTP/1.0 200 OK
Content-type: text/html

<CENTER><H1>This is <a href="http://www.gnu.org/software/gnutls">GNUTLS</a></H1></CENTER>

<p>Session ID: <i>403FF1B7889FD2BF9CA9E9B70120CFB7C01F1A08EC9FD2BF0100000000042B08</i></p>
<h5>If your browser supports session resuming, then you should see the same session ID, when you press the <b>reload</b> button.</h5>

<p>Server Name: test.gnutls.org</p>
Ephemeral DH using prime of <b>1032</b> bits.<br>
<TABLE border=1><TR><TD>Protocol version:</TD><TD>TLS 1.2</TD></TR>
<TR><TD>Certificate Type:</TD><TD>X.509</TD></TR>
<TR><TD>Key Exchange:</TD><TD>DHE RSA</TD></TR>
<TR><TD>Cipher</TD><TD>AES 256 CBC</TD></TR>
<hr><PRE>X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 4628a165
        Issuer: CN=GnuTLS test CA
                Not Before: Fri Apr 20 11:17:59 UTC 2007
                Not After: Wed Oct 17 11:18:02 UTC 2007
        Subject: O=Simon Josefsson,CN=Test Key
        Subject Public Key Algorithm: RSA
                Modulus (bits 1024):
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Key Purpose (not critical):
                        TLS WWW Client.
                        TLS WWW Server.
                Subject Alternative Name (not critical):
                        DNSname: josefsson.org
                Key Usage (critical):
                        Digital signature.
                        Key encipherment.
                Subject Key Identifier (not critical):
                Authority Key Identifier (not critical):
        Signature Algorithm: RSA-SHA
Other Information:
        MD5 fingerprint:
        SHA-1 fingerprint:
        Public Key Id:
<hr><P>Your HTTP header was:<PRE></PRE></P>

- Peer has closed the GNUTLS connection
jas at mocca:~/src/gnutls-pkcs11$

To debug things, add a '-d 10' and you'll see some debug info.  First
loading the CA certificates:

|<2>| PKCS#11 slot count 1
|<2>| PKCS#11 slot[1].description: `GnuPG Smart Card Daemon                                         g10 Code GmbH                   '
|<2>| PKCS#11 slot[1].manufacturer: `g10 Code GmbH                   '
|<2>| PKCS#11 slot[1].token.label: `D2760001240101010001000005320000PPC Card Systems                OpenPGP         00000532
|<2>| Adding CA certificate 1532B4BA5A8A7988CA264283591BA3A21C0BCC24 (0)
|<2>| Skipping certificate BD5F80DE63034EC9E2841E6309552E345C5F226F (0/0)

Then the user certificates:

|<2>| PKCS#11 slot count 1
|<2>| PKCS#11 slot[1].description: `GnuPG Smart Card Daemon                                         g10 Code GmbH                   '
|<2>| PKCS#11 slot[1].manufacturer: `g10 Code GmbH                   '
|<2>| PKCS#11 slot[1].token.label: `D2760001240101010001000005320000PPC Card Systems                OpenPGP         00000532
|<2>| Added private key BD5F80DE63034EC9E2841E6309552E345C5F226F from slot 1
|<2>| Skipping certificate 1532B4BA5A8A7988CA264283591BA3A21C0BCC24 (1/0)
|<2>| Adding user certificate BD5F80DE63034EC9E2841E6309552E345C5F226F
- Successfully sent 1 certificate(s) to server.

Then signing using the user certificate:

|<2>| PKCS#11 slot count 1
|<2>| PKCS#11 slot[1].description: `GnuPG Smart Card Daemon                                         g10 Code GmbH                   '
|<2>| PKCS#11 slot[1].manufacturer: `g10 Code GmbH                   '
|<2>| PKCS#11 slot[1].token.label: `D2760001240101010001000005320000PPC Card Systems                OpenPGP         00000532
|<3>| HSK[8079ee0]: CERTIFICATE VERIFY was send [134 bytes]

The 1532B4BA5A8A7988CA264283591BA3A21C0BCC24 certificate is the GnuTLS
CA, and the BD5F80DE63034EC9E2841E6309552E345C5F226F certificate is my
client certificate.

Here are the compressed sources (4.3MB):

Here are GPG detached signatures signed using key 0xB565716F:

Here are the SHA-1 and SHA-224 checksums:

10fddb83282c467e2299790a8badc2ed4c74ca1c  gnutls-1.7.8.p11.2.tar.bz2
40c1eeb16c532ffed1357b2e54ce0a47e1119f6d  gnutls-1.7.8.p11.2.tar.bz2.sig

94557b4c9d1050751f16fdfc4ca7138b88914049e9347eb50b0f70f8  gnutls-1.7.8.p11.2.tar.bz2
5219eb7c41f155ba1e5772eafa55b99e9b1be3337aa2147b62886180  gnutls-1.7.8.p11.2.tar.bz2.sig

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.


More information about the Gnutls-devel mailing list