[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gnutls-dev] GnuTLS 1.7.8.p11.0

From: Alon Bar-Lev
Subject: Re: [gnutls-dev] GnuTLS 1.7.8.p11.0
Date: Thu, 3 May 2007 23:45:23 +0300


I was about to get this implementation and suggest an alternative,
only to discover that you are not doing any private key operations.

So there is no implementation to modify, and I don't wish to re-write
the large part of GnuTLS code.

So I ask you again, please implement a callback structure for engines,
this callback should have the following methods:

typedef struct {
  void *user_data;
  int (*init)(void *user_data);
  int (*cleanup)(void *user_data);
  int (*sign)(void *user_data, int algorithm, size_t input_size,
const unsigned char * const input, size_t *output_size, unsigned char
* const output);
  int (*decrypt)(void *user_data, int algorithm, size_t input_size,
const unsigned char * const input, size_t *output_size, unsigned char
* const output);
} engine_t;

Provide a replacement function for:
gnutls_certificate_set_x509_key_file ()
Something like:
(gnutls_certificate_credentials_t res, engine_t *engine)

This will allow application to enumerate the token certificates, set
the trust correctly by using the regular
gnutls_certificate_set_x509_trust_file() call, and handle the
sign/decrypt in any way it likes... One implementation may be PKCS#11.

As I said before, if you provide such interface, I will provide a
*COMPLETE* and *WORKING* PKCS#11 support for GnuTLS, after a day or

It will also clean up your implementation, and allow many other
engines to be added.

Another alternative is to wait for you to have a remotely working
solution, and create a patch for the above (this is what I intended to
do now...), but it would be much cleaner if you create the interface
as you know GnuTLS best, and it will save a lot of work for all.

Please consider to cooperate, you loose nothing, as you will be able
to use the same interface for your implementation as-well.

Best Regards,
Alon Bar-Lev.

On 5/2/07, Simon Josefsson <address@hidden> wrote:
Here is the first release on the PKCS#11 branch.  The support is
currently rather limited, but I decided to make a release early to
invite more feedback.  The NEWS entry is:

* Version 1.7.8.p11.0 (released 2007-05-02)

** New function to get trusted CA certificates from PKCS#11 provider.

** API and ABI modifications:
gnutls_pkcs11_get_ca_certificates: ADD.

Warning!  This is even more experimental than the experimental 1.7.x
branch.  However, the changes compared to 1.7.8 are intentionally kept
minimal, to facilitate easy merging later on.

The support is limited to:

1) Support for build-time linking to the PKCS#11 provider scute, see

2) Retrieving trusted CA certificates from the PKCS#11 provider.

To test it, you'll need to build scute from SVN (because it contains a
CKA_TRUSTED related fix), and set it up (try using it in mozilla), which
can be non-trivial.  See the Scute manual.  I generated new keys on an
OpenPGP smartcard with gpg2 --edit-card and, then
signed the CSR with certtool using the GnuTLS test CA, and imported the
certificates using 'gpgsm --import'.

If someone can explain to me how I can test other PKCS#11 providers, I
can test them too.  Supporting the NSS soft token provider is an
important target.

The gnutls-cli tool in this release automatically import all CAs from
Scute, and here is an output from running it against the GnuTLS test

address@hidden:~$ ~/src/gnutls-pkcs11/src/gnutls-cli --port 5556 --ctypes x509
Resolving ''...
Connecting to ''...
- Successfully sent 0 certificate(s) to server.
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches ''.
 # valid since: Wed Apr 18 15:29:21 CEST 2007
 # expires at: Thu Apr 17 15:29:21 CEST 2008
 # fingerprint: 08:8B:4B:0F:68:88:4E:95:15:D6:AC:F6:B3:64:81:5B
 # Subject's DN: O=GnuTLS test server,
 # Issuer's DN: CN=GnuTLS test CA

- Peer's certificate is trusted
- Version: TLS 1.2
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- Compression: DEFLATE
- Handshake was completed

Notice that it says the peer's certificate is trusted, without any
--x509certfile.  The GnuTLS CA is retrieved from Scute.  To debug
things, add a '-d 10' and you'll see some debug info:

|<2>| PKCS#11 slot count 1
|<2>| PKCS#11 slot[1].description: `GnuPG Smart Card Daemon                     
                    g10 Code GmbH                   '
|<2>| PKCS#11 slot[1].manufacturer: `g10 Code GmbH                   '
|<2>| PKCS#11 slot[1].token.label: `D2760001240101010001000005320000PPC Card 
Systems                OpenPGP         00000532
|<2>| Adding CA certificate 1532B4BA5A8A7988CA264283591BA3A21C0BCC24 (0)
|<2>| Skipping certificate BD5F80DE63034EC9E2841E6309552E345C5F226F (0/0)

Here the 1532B4BA5A8A7988CA264283591BA3A21C0BCC24 certificate is the
GnuTLS CA, and the BD5F80DE63034EC9E2841E6309552E345C5F226F certificate
is my client certificate (which is not used as a trusted root).

Here are the compressed sources (4.3MB):

Here are GPG detached signatures signed using key 0xB565716F:

Here are the SHA-1 and SHA-224 checksums:

9fe33805fb5083f5db7be2a3861b2cbd24e818da  gnutls-1.7.8.p11.0.tar.bz2
07cf60a582e8a83c10c13e60b6817c6329630f9f  gnutls-1.7.8.p11.0.tar.bz2.sig


Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See for more details.


Gnutls-dev mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]