initial PKCS #11 support

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun May 16 12:12:51 CEST 2010


Hello,
 I have implemented a limited (to public keys and private keys) PKCS #11
API in gnutls. This was inspired mainly by the neon PKCS #11 support and
 Alon's gnutls-pkcs11, although I think it has a larger scope.

A sneak preview is at
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=shortlog;h=new

* How it works:
It can be enabled with a global config file (/etc/gnutls/pkcs11.conf)
which contains the pkcs11 modules to load, or an application may ignore
it and specify explicitly the modules it uses (see
gnutls_pkcs11_init()). The file contains entries such as:
"load=/xxx/pkcs11-lib.so"

To reference PKCS #11 objects gnutls uses URLs as in
http://tools.ietf.org/html/draft-pechanec-pkcs11uri-01

This has the advantage that all existing applications that use the
gnutls functions to load keys/certificates will be able to use pkcs11
urls transparently.

With certtool a list of the available keys is shown:

./certtool --pkcs11-list
PIN required for token 'Nikos Mavrogiannopoulos (User P' in slot
'OmniKey CardMan 3121 00 00'
Enter password:
Certificate 0:
        URL:
pkcs11:token=Nikos%20Mavrogiannopoulos%20%28User%20P;serial=307521161601031;model=PKCS%2315;manufacturer=EnterSafe;object=Certificate;id=db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26
        Label: Certificate
        ID: db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26


With gnutls-cli or gnutls-serv and x509certfile/x509keyfile a pkcs11 url
can be specified to use the corresponding keys and certificates.

As a backend a modified pakchois library is used (modified to load an
arbitrary library instead of looking into default paths).

An example application can be seen at:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=doc/examples/ex-cert-select-pkcs11.c;h=64875a97601d02d3288fe802831e71ec04c919e7;hb=9c21137aed2910de498832f598ae49238f40a27b


Still there are several things to be done such as:
1. gnutls-cli/serv --x509cafile read from a pkcs11 url (certtool
--pkcs11-list-trusted does something similar already)
2. Support for PKCS #11 secret keys in PSK ciphersuites
3. Thread lock issues with sharing of pkcs11 objects (probably implement
locks around gnutls_pkcs11_privkey_t operations)
4. Allow signing of certificates with a pkcs 11 key (should be trivial
using the gnutls_privkey_t api)
5. Allow reading and transforming pkcs11 public keys to certificates and
certificate requests.
6. Allow generation of keys (still thinking whether its worthwhile)


Any comments welcome.

regards,
Nikos




More information about the Gnutls-devel mailing list