[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnutls with pkcs

From: Simon Josefsson
Subject: Re: gnutls with pkcs
Date: Tue, 26 Feb 2008 18:14:43 +0100
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Pavlov Konstantin <address@hidden> writes:

> Hello, what's the current status of PKCS support in GnuTLS?
> 1.7 branch
> (;a=shortlog;h=gnutls_1_7_14_with_pkcs11)
> seems being abandoned.

The following APIs where pulled into the stable release based on that

  typedef int (*gnutls_sign_func) (gnutls_session_t session,
                                   void *userdata,
                                   gnutls_certificate_type_t cert_type,
                                   const gnutls_datum_t * cert,
                                   const gnutls_datum_t * hash,
                                   gnutls_datum_t * signature);

  void gnutls_sign_callback_set (gnutls_session_t session,
                                 gnutls_sign_func sign_func,
                                 void *userdata);
  gnutls_sign_callback_get (gnutls_session_t session,
                            void **userdata);

Those API allows you to connect GnuTLS with any PKCS#11 mechanism, but
you need to do the PKCS11 glue work.

The gnutls-pkcs11 library that did the glue work is not included with
GnuTLS today.  The reason is that libgnutls-pkcs11 is linked to Scute at
compile-time.  That works fine if you want to use OpenPGP cards, but if
you want to use another PKCS#11 mechanism, you have to recompile the
library.  That wasn't very flexible, and it didn't feel finished enough
to include in the stable branch.

Possibly the library could use dlopen instead, opening a library
requested by the application.

Does this answer the question?

Are you interested in seeing the gnutls-pkcs11 library merged?  We could
look into what it would take to dlopen some library that the application


reply via email to

[Prev in Thread] Current Thread [Next in Thread]