initial PKCS #11 support

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

initial PKCS #11 support

From:	Nikos Mavrogiannopoulos
Subject:	initial PKCS #11 support
Date:	Sun, 16 May 2010 12:12:51 +0200
User-agent:	Thunderbird 2.0.0.24 (X11/20100411)

Hello,
 I have implemented a limited (to public keys and private keys) PKCS #11
API in gnutls. This was inspired mainly by the neon PKCS #11 support and
 Alon's gnutls-pkcs11, although I think it has a larger scope.

A sneak preview is at
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=shortlog;h=new

* How it works:
It can be enabled with a global config file (/etc/gnutls/pkcs11.conf)
which contains the pkcs11 modules to load, or an application may ignore
it and specify explicitly the modules it uses (see
gnutls_pkcs11_init()). The file contains entries such as:
"load=/xxx/pkcs11-lib.so"

To reference PKCS #11 objects gnutls uses URLs as in
http://tools.ietf.org/html/draft-pechanec-pkcs11uri-01

This has the advantage that all existing applications that use the
gnutls functions to load keys/certificates will be able to use pkcs11
urls transparently.

With certtool a list of the available keys is shown:

./certtool --pkcs11-list
PIN required for token 'Nikos Mavrogiannopoulos (User P' in slot
'OmniKey CardMan 3121 00 00'
Enter password:
Certificate 0:
        URL:
pkcs11:token=Nikos%20Mavrogiannopoulos%20%28User%20P;serial=307521161601031;model=PKCS%2315;manufacturer=EnterSafe;object=Certificate;id=db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26
        Label: Certificate
        ID: db:5b:3e:b5:72:33:92:99:18:ed:bb:eb:74:68:31:bd:b2:23:67:26


With gnutls-cli or gnutls-serv and x509certfile/x509keyfile a pkcs11 url
can be specified to use the corresponding keys and certificates.

As a backend a modified pakchois library is used (modified to load an
arbitrary library instead of looking into default paths).

An example application can be seen at:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=doc/examples/ex-cert-select-pkcs11.c;h=64875a97601d02d3288fe802831e71ec04c919e7;hb=9c21137aed2910de498832f598ae49238f40a27b


Still there are several things to be done such as:
1. gnutls-cli/serv --x509cafile read from a pkcs11 url (certtool
--pkcs11-list-trusted does something similar already)
2. Support for PKCS #11 secret keys in PSK ciphersuites
3. Thread lock issues with sharing of pkcs11 objects (probably implement
locks around gnutls_pkcs11_privkey_t operations)
4. Allow signing of certificates with a pkcs 11 key (should be trivial
using the gnutls_privkey_t api)
5. Allow reading and transforming pkcs11 public keys to certificates and
certificate requests.
6. Allow generation of keys (still thinking whether its worthwhile)


Any comments welcome.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

initial PKCS #11 support, Nikos Mavrogiannopoulos <=

Prev by Date: Re: gnutls 2.9.10 breaks exim4 TLS (Denying unsafe (re)negotiation.)
Next by Date: Re: gnutls 2.9.10 breaks exim4 TLS (Denying unsafe (re)negotiation.)
Previous by thread: gnutls 2.9.10 breaks exim4 TLS (Denying unsafe (re)negotiation.)
Next by thread: Re: safe renegotiation
Index(es):
- Date
- Thread