[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal pkinit compiling on debian


> I've been working on rewriting the cms function in the pkinit patch to make
> it easier to use (and reuse) them. Part of why I'm doing this is to make it
> simpler for the pkinit code to find the right certificate to use.
	CMS is the name of the certificate management system?

> I'm not sure how useable it is given its for a specific card. I think it
> should be possible to glue in. However, I think that either using opensc
> crypto function or the opensc pkcs11 module (either directly or via
> openssl).
	Using OpenSSL engine would probably let the doors for other moduls 
wider than using OpenSC itself. So I think it is a good choice to use 
OpenSL engines.
> The "load" is somewhat misnamed, its more of a configuration option, "here
> you find the private key", the current code assumes that there there is a
> openssl EVP_PKEY (RSA is assumed) that its possible to do EVP_Sign() and
> EVP_PKEY_decrypt() with.
> So if you change the code to support something more then "FILE:" that would
> be ok. Something like
> OPENSSL-ENGINE:modulename,/path/to/module.so,key_id,/path/to/certifitate.pem
> I've yet to see a way to get hold of the CA certificate and certificate
> itself that lives on the smartcard though openssl's api, so I don't really
> like this solution, but I'm sure it will be the fastest way to get it
> working.
> If you decides to work on the pkcs11 solution, I've got both pkcs11 code
> that might be a good start, and some time a ago I wrote a pkcs11 software
> module (http://people.su.se/~lha/soft-pkcs11/) so I don't need to carry
> around the smartcard reader all the time. Note that the rsa keybindling is
> turned off since it makes it not work when running inside mozilla.
	I'll see the pkcs11 solution. However AFAIK there is an opensc engine 
(not pkcs11) for OpenSSL, which is capable of signing. I'm not sure 
whether it would be wiser to use that instead of the pkcs11 module, or 
something prevents it?

>>- Is it OK if I use a new #define statement in the config.h like #define
>>UseOpenSC 1 ,as PKINIT works this way?
> Sure is. But its best if its possible do dynamicly loadable the code, but
> don't worry about that now, I'll modify any code you'll contribute to meet
> my requirements.

	OK, thanks. I think dynamical loading of modules are ok with the 
OpenSSL engine solution.

> Love