gnutls with pkcs

Simon Josefsson simon at josefsson.org
Tue Feb 26 18:14:43 CET 2008


Pavlov Konstantin <thresh at altlinux.ru> writes:

> Hello, what's the current status of PKCS support in GnuTLS?
>
> 1.7 branch
> (http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=shortlog;h=gnutls_1_7_14_with_pkcs11)
> seems being abandoned.

The following APIs where pulled into the stable release based on that
branch:

  typedef int (*gnutls_sign_func) (gnutls_session_t session,
				   void *userdata,
				   gnutls_certificate_type_t cert_type,
				   const gnutls_datum_t * cert,
				   const gnutls_datum_t * hash,
				   gnutls_datum_t * signature);

  void gnutls_sign_callback_set (gnutls_session_t session,
				 gnutls_sign_func sign_func,
				 void *userdata);
  gnutls_sign_func
  gnutls_sign_callback_get (gnutls_session_t session,
			    void **userdata);

Those API allows you to connect GnuTLS with any PKCS#11 mechanism, but
you need to do the PKCS11 glue work.

The gnutls-pkcs11 library that did the glue work is not included with
GnuTLS today.  The reason is that libgnutls-pkcs11 is linked to Scute at
compile-time.  That works fine if you want to use OpenPGP cards, but if
you want to use another PKCS#11 mechanism, you have to recompile the
library.  That wasn't very flexible, and it didn't feel finished enough
to include in the stable branch.

Possibly the library could use dlopen instead, opening a library
requested by the application.

Does this answer the question?

Are you interested in seeing the gnutls-pkcs11 library merged?  We could
look into what it would take to dlopen some library that the application
requested.

/Simon





More information about the Gnutls-devel mailing list