[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gnutls-dev] GnuTLS PKCS#11 Engine
|
From: |
Simon Josefsson |
|
Subject: |
Re: [gnutls-dev] GnuTLS PKCS#11 Engine |
|
Date: |
Mon, 14 May 2007 10:54:45 +0200 |
|
User-agent: |
Gnus/5.110007 (No Gnus v0.7) Emacs/22.0.95 (gnu/linux) |
"Alon Bar-Lev" <address@hidden> writes:
> On 5/14/07, Simon Josefsson <address@hidden> wrote:
>> "Alon Bar-Lev" <address@hidden> writes:
>>
>> > An initial version of gnugls-pkcs11 is available for testing.
>> > It should provide a simple API to access PKCS#11 cryptographic tokens.
>>
>> Cool! I'm able to authenticate to the test.gnutls.org test server using
>> my brand new Swedish NIDEL ID card using the OpenSC PKCS#11 provider.
>
> Great!
> Please try Scute... I've never tried it before... It should use
> protected authentication, it means that the program should not ask you
> for PIN but the gnupg pinentry should pop up.
It doesn't seem to work. Here is what happens. Any ideas?
address@hidden:~/src/gnutls-pkcs11-0.01/src$ ./gnutls-pkcs11-cli
--add-provider=/usr/local/lib/libscute.so --cmd=ids --host=test.gnutls.org
--port=5556 --debug 10
|<5>| PKCS#11: pkcs11h_addProvider entry pid=30115,
reference='/usr/local/lib/libscute.so',
provider_location='/usr/local/lib/libscute.so', allow_protected_auth=1,
mask_private_mode=00000000, cert_is_private=0
|<4>| PKCS#11: Adding provider
'/usr/local/lib/libscute.so'-'/usr/local/lib/libscute.so'
|<5>| PKCS#11: _pkcs11h_slotevent_notify entry
|<5>| PKCS#11: _pkcs11h_slotevent_notify return
|<4>| PKCS#11: Provider '/usr/local/lib/libscute.so' added rv=0-'CKR_OK'
|<5>| PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
|<5>| PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1,
mask_prompt=00000003, p_cert_id_issuers_list=0xbf822628,
p_cert_id_end_list=0xbf822624
|<5>| PKCS#11: _pkcs11h_session_getSlotList entry provider=0x8069df0,
token_present=1, pSlotList=0xbf8225c8, pulCount=0xbf8225c4
|<5>| PKCS#11: pkcs11h_forkFixup entry pid=30129
scute: scute_agent_initialize: GPG Agent connection already established
|<5>| PKCS#11: pkcs11h_forkFixup return
|<5>| PKCS#11: pkcs11h_terminate entry
|<4>| PKCS#11: Removing providers
|<5>| PKCS#11: pkcs11h_removeProvider entry
reference='/usr/local/lib/libscute.so'
|<4>| PKCS#11: Removing provider '/usr/local/lib/libscute.so'
|<5>| PKCS#11: _pkcs11h_slotevent_notify entry
|<5>| PKCS#11: _pkcs11h_slotevent_notify return
|<5>| PKCS#11: pkcs11h_removeProvider return rv=0-'CKR_OK'
|<4>| PKCS#11: Releasing sessions
|<4>| PKCS#11: Terminating slotevent
|<5>| PKCS#11: _pkcs11h_slotevent_terminate entry
|<5>| PKCS#11: _pkcs11h_slotevent_terminate return
|<4>| PKCS#11: Marking as uninitialized
can't connect server: ec=31.16383
|<5>| PKCS#11: _pkcs11h_session_getSlotList return rv=6-'CKR_FUNCTION_FAILED'
*pulCount=0
|<4>| PKCS#11: Cannot get slot list for provider 'g10 Code GmbH'
rv=6-'CKR_FUNCTION_FAILED'
|<5>| PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry
cert_id_all=(nil), p_cert_id_issuers_list=0xbf822628,
p_cert_id_end_list=0xbf822624
|<5>| PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
|<5>| PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
address@hidden:~/src/gnutls-pkcs11-0.01/src$
I suspect Scute is failing here.
> Some questions:
>
> 1. Do you have any comments regarding the API?
>
> 2. Do you want me to add the gnutls interface to pkcs11-helper (as in
> OpenSSL case) or leave it as a separate module?
>
> 3. Do you think there is advantage of creating subset API of
> pkcs11-helper available (current state), or have the developer access
> pkcs11-helper directly and provide some utilities for GnuTLS
> environment (as in OpenSSL case).
I haven't really made up my mind about how things should work here.
One concern I have is any OpenSSL dependency.
Another concern is that I would like GnuTLS to include some native
PKCS#11 interface, to support the OpenPGP card, GNOME Seahorse, and
possibly NSS's provider directly. I think it doesn't make sense for
GnuTLS to handle pin's etc. I think GnuTLS should assume the PKCS#11
provider takes care of PIN entry internally. (Although I don't know how
the NSS provider works.) I don't yet know how this is best implemented.
Including a copy of pkcs11-helper and your gnutls-pkcs11 library
(assuming the copyright and license situation is suitable) is a
possibility.
/Simon
- [gnutls-dev] GnuTLS PKCS#11 Engine, Alon Bar-Lev, 2007/05/13
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Simon Josefsson, 2007/05/14
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Alon Bar-Lev, 2007/05/14
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine,
Simon Josefsson <=
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Alon Bar-Lev, 2007/05/14
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Simon Josefsson, 2007/05/14
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Alon Bar-Lev, 2007/05/14
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Alon Bar-Lev, 2007/05/14
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Simon Josefsson, 2007/05/14
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Alon Bar-Lev, 2007/05/14
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Simon Josefsson, 2007/05/14
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Alon Bar-Lev, 2007/05/14
- Message not available
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Alon Bar-Lev, 2007/05/14
- Message not available
- Re: [gnutls-dev] GnuTLS PKCS#11 Engine, Alon Bar-Lev, 2007/05/14