[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gnutls-dev] GnuTLS PKCS#11 Engine

From: Simon Josefsson
Subject: Re: [gnutls-dev] GnuTLS PKCS#11 Engine
Date: Mon, 14 May 2007 10:54:45 +0200
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.0.95 (gnu/linux)

"Alon Bar-Lev" <address@hidden> writes:

> On 5/14/07, Simon Josefsson <address@hidden> wrote:
>> "Alon Bar-Lev" <address@hidden> writes:
>> > An initial version of gnugls-pkcs11 is available for testing.
>> > It should provide a simple API to access PKCS#11 cryptographic tokens.
>> Cool!  I'm able to authenticate to the test server using
>> my brand new Swedish NIDEL ID card using the OpenSC PKCS#11 provider.
> Great!
> Please try Scute... I've never tried it before... It should use
> protected authentication, it means that the program should not ask you
> for PIN but the gnupg pinentry should pop up.

It doesn't seem to work.  Here is what happens.  Any ideas?

address@hidden:~/src/gnutls-pkcs11-0.01/src$ ./gnutls-pkcs11-cli 
--add-provider=/usr/local/lib/ --cmd=ids 
--port=5556 --debug 10
|<5>| PKCS#11: pkcs11h_addProvider entry pid=30115, 
provider_location='/usr/local/lib/', allow_protected_auth=1, 
mask_private_mode=00000000, cert_is_private=0
|<4>| PKCS#11: Adding provider 
|<5>| PKCS#11: _pkcs11h_slotevent_notify entry
|<5>| PKCS#11: _pkcs11h_slotevent_notify return
|<4>| PKCS#11: Provider '/usr/local/lib/' added rv=0-'CKR_OK'
|<5>| PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
|<5>| PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, 
mask_prompt=00000003, p_cert_id_issuers_list=0xbf822628, 
|<5>| PKCS#11: _pkcs11h_session_getSlotList entry provider=0x8069df0, 
token_present=1, pSlotList=0xbf8225c8, pulCount=0xbf8225c4
|<5>| PKCS#11: pkcs11h_forkFixup entry pid=30129
scute: scute_agent_initialize: GPG Agent connection already established
|<5>| PKCS#11: pkcs11h_forkFixup return
|<5>| PKCS#11: pkcs11h_terminate entry
|<4>| PKCS#11: Removing providers
|<5>| PKCS#11: pkcs11h_removeProvider entry 
|<4>| PKCS#11: Removing provider '/usr/local/lib/'
|<5>| PKCS#11: _pkcs11h_slotevent_notify entry
|<5>| PKCS#11: _pkcs11h_slotevent_notify return
|<5>| PKCS#11: pkcs11h_removeProvider return rv=0-'CKR_OK'
|<4>| PKCS#11: Releasing sessions
|<4>| PKCS#11: Terminating slotevent
|<5>| PKCS#11: _pkcs11h_slotevent_terminate entry
|<5>| PKCS#11: _pkcs11h_slotevent_terminate return
|<4>| PKCS#11: Marking as uninitialized
can't connect server: ec=31.16383
|<5>| PKCS#11: _pkcs11h_session_getSlotList return rv=6-'CKR_FUNCTION_FAILED' 
|<4>| PKCS#11: Cannot get slot list for provider 'g10 Code GmbH' 
|<5>| PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry 
cert_id_all=(nil), p_cert_id_issuers_list=0xbf822628, 
|<5>| PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
|<5>| PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'

I suspect Scute is failing here.

> Some questions:
> 1. Do you have any comments regarding the API?
> 2. Do you want me to add the gnutls interface to pkcs11-helper (as in
> OpenSSL case) or leave it as a separate module?
> 3. Do you think there is advantage of creating subset API of
> pkcs11-helper available (current state), or have the developer access
> pkcs11-helper directly and provide some utilities for GnuTLS
> environment (as in OpenSSL case).

I haven't really made up my mind about how things should work here.

One concern I have is any OpenSSL dependency.

Another concern is that I would like GnuTLS to include some native
PKCS#11 interface, to support the OpenPGP card, GNOME Seahorse, and
possibly NSS's provider directly.  I think it doesn't make sense for
GnuTLS to handle pin's etc.  I think GnuTLS should assume the PKCS#11
provider takes care of PIN entry internally.  (Although I don't know how
the NSS provider works.)  I don't yet know how this is best implemented.
Including a copy of pkcs11-helper and your gnutls-pkcs11 library
(assuming the copyright and license situation is suitable) is a


reply via email to

[Prev in Thread] Current Thread [Next in Thread]