PKCS#11 support and proxy providers

Craig Ringer craig at
Wed Jun 10 08:17:41 CEST 2009


I've been doing some research into PKCS#11 support in GnuTLS and into
PKCS#11 proxy providers. There was some discussion on both some time ago
on the GnuTLS devel list, but I've been unable to find much more recent
than 2007. Current GnuTLS sources do not appear to support loading and
using a PKCS#11 provider module.

Is there PKCS#11 support in GnuTLS that I'm missing? Or did the PKCS#11
work done in 2007 not come to anything?

The reason I'm interested is that some apps I use, including Evolution
Data Server's Camel mail client module, use GnuTLS for their crypto
needs. This not only prevents them from talking to smart cards and other
hardware keys, but it prevents them from using centralized PKCS#11-based
certificate stores like the GNOME Keyring Daemon. Users must instead
configure each GnuTLS-using app to load their certificate from a PKCS#12

I'm looking into ways to get a centralized key store, including PKCS#11
proxying for smart cards and the like, into wider use on Linux desktops.
As part of that I'd be really interested in any progress on PKCS#11
support in GnuTLS. For my purposes I'd only need single-provider
support, since GnuTLS would talk to the proxy provider over a UNIX
socket and that'd manage the keystore as well as any smart cards and the

I've been unable to find any suitable existing proxy provider
implementations, so I was thinking of writing a thin PKCS#11 provider
module and a daemon that uses libnss to handle the keystore, card
proxying, and the like. Is anyone here aware of a suitable existing
PKCS#11 proxy daemon and provider that might do the job?

Thanks for listening.

Craig Ringer

More information about the Gnutls-devel mailing list