[gnutls-dev] GnuTLS PKCS#11 Engine
Simon Josefsson
simon at josefsson.org
Mon May 14 10:54:45 CEST 2007
"Alon Bar-Lev" <alon.barlev at gmail.com> writes:
> On 5/14/07, Simon Josefsson <simon at josefsson.org> wrote:
>> "Alon Bar-Lev" <alon.barlev at gmail.com> writes:
>>
>> > An initial version of gnugls-pkcs11 is available for testing.
>> > It should provide a simple API to access PKCS#11 cryptographic tokens.
>>
>> Cool! I'm able to authenticate to the test.gnutls.org test server using
>> my brand new Swedish NIDEL ID card using the OpenSC PKCS#11 provider.
>
> Great!
> Please try Scute... I've never tried it before... It should use
> protected authentication, it means that the program should not ask you
> for PIN but the gnupg pinentry should pop up.
It doesn't seem to work. Here is what happens. Any ideas?
jas at mocca:~/src/gnutls-pkcs11-0.01/src$ ./gnutls-pkcs11-cli --add-provider=/usr/local/lib/libscute.so --cmd=ids --host=test.gnutls.org --port=5556 --debug 10
|<5>| PKCS#11: pkcs11h_addProvider entry pid=30115, reference='/usr/local/lib/libscute.so', provider_location='/usr/local/lib/libscute.so', allow_protected_auth=1, mask_private_mode=00000000, cert_is_private=0
|<4>| PKCS#11: Adding provider '/usr/local/lib/libscute.so'-'/usr/local/lib/libscute.so'
|<5>| PKCS#11: _pkcs11h_slotevent_notify entry
|<5>| PKCS#11: _pkcs11h_slotevent_notify return
|<4>| PKCS#11: Provider '/usr/local/lib/libscute.so' added rv=0-'CKR_OK'
|<5>| PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
|<5>| PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, mask_prompt=00000003, p_cert_id_issuers_list=0xbf822628, p_cert_id_end_list=0xbf822624
|<5>| PKCS#11: _pkcs11h_session_getSlotList entry provider=0x8069df0, token_present=1, pSlotList=0xbf8225c8, pulCount=0xbf8225c4
|<5>| PKCS#11: pkcs11h_forkFixup entry pid=30129
scute: scute_agent_initialize: GPG Agent connection already established
|<5>| PKCS#11: pkcs11h_forkFixup return
|<5>| PKCS#11: pkcs11h_terminate entry
|<4>| PKCS#11: Removing providers
|<5>| PKCS#11: pkcs11h_removeProvider entry reference='/usr/local/lib/libscute.so'
|<4>| PKCS#11: Removing provider '/usr/local/lib/libscute.so'
|<5>| PKCS#11: _pkcs11h_slotevent_notify entry
|<5>| PKCS#11: _pkcs11h_slotevent_notify return
|<5>| PKCS#11: pkcs11h_removeProvider return rv=0-'CKR_OK'
|<4>| PKCS#11: Releasing sessions
|<4>| PKCS#11: Terminating slotevent
|<5>| PKCS#11: _pkcs11h_slotevent_terminate entry
|<5>| PKCS#11: _pkcs11h_slotevent_terminate return
|<4>| PKCS#11: Marking as uninitialized
can't connect server: ec=31.16383
|<5>| PKCS#11: _pkcs11h_session_getSlotList return rv=6-'CKR_FUNCTION_FAILED' *pulCount=0
|<4>| PKCS#11: Cannot get slot list for provider 'g10 Code GmbH' rv=6-'CKR_FUNCTION_FAILED'
|<5>| PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=(nil), p_cert_id_issuers_list=0xbf822628, p_cert_id_end_list=0xbf822624
|<5>| PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
|<5>| PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
jas at mocca:~/src/gnutls-pkcs11-0.01/src$
I suspect Scute is failing here.
> Some questions:
>
> 1. Do you have any comments regarding the API?
>
> 2. Do you want me to add the gnutls interface to pkcs11-helper (as in
> OpenSSL case) or leave it as a separate module?
>
> 3. Do you think there is advantage of creating subset API of
> pkcs11-helper available (current state), or have the developer access
> pkcs11-helper directly and provide some utilities for GnuTLS
> environment (as in OpenSSL case).
I haven't really made up my mind about how things should work here.
One concern I have is any OpenSSL dependency.
Another concern is that I would like GnuTLS to include some native
PKCS#11 interface, to support the OpenPGP card, GNOME Seahorse, and
possibly NSS's provider directly. I think it doesn't make sense for
GnuTLS to handle pin's etc. I think GnuTLS should assume the PKCS#11
provider takes care of PIN entry internally. (Although I don't know how
the NSS provider works.) I don't yet know how this is best implemented.
Including a copy of pkcs11-helper and your gnutls-pkcs11 library
(assuming the copyright and license situation is suitable) is a
possibility.
/Simon
More information about the Gnutls-devel
mailing list