[gnutls-dev] GnuTLS PKCS#11 Engine

Alon Bar-Lev alon.barlev at gmail.com
Mon May 14 13:28:54 CEST 2007


On 5/14/07, Simon Josefsson <simon at josefsson.org> wrote:
> I suppose this is just PKCS#11 internal stuff, and I hope you will solve
> it.  If I can assist in testing anything, let me know.

This is sute problem, I cannot solved this... I CCed Marcus, I hope he
will be able to solve it.

> pkcs11-helper seem to link to OpenSSL by default.  As far as I
> understand, distributions cannot distribute packages that links
> pkcs11-helper together with gnutls via your gnutls-pkcs11 legally.
> Perhaps gnutls and/or gnutls-pkcs11 could check whether pkcs11-helper
> picks up OpenSSL, and if so, emit an error message.

I don't understand...
The OpenSSL stuff is not used, I can provide an engine for GnuTLS
inside the gnutls-pkcs11.
Even if it linked it is not used.

> > Why not just maintain it as sepearate component?
> > What is the benafit in maintaining one large library?
>
> They are separate components, see the pkcs11-branch: there is a
> standalone libgnutls-pkcs11 library (see the top-level pkcs11/
> directory) that provides a simple PKCS#11 interface to Scute via the
> header gnutls/pkcs11.h.  Applications can chose to implement the sign
> callback using GnuTLS's pkcs11 library, but then they'll have to link to
> it, or your library, or some other library (that may use CAPI or
> whatever).

I don't understand...
The simple scute implementation is irrelevant for 99.999% of users.
And if application chooses to use PKCS#11 it can also chose to add a
library to its linkage.

Alon.




More information about the Gnutls-devel mailing list