[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal pkinit compiling on debian
> Cryptographic Message Syntax, RFC3369 (aka PKCS7) encryption/signing with
> secret and private/public keys. PKINIT (and S/MIME) uses it to encrypt/sign
> My CMS implementation is somewhat independed of the using what crypto
> subsystem, but changes the view on certificates and keys to a more
> certificates centered operation mode.
> The problem is the following, how do you as an application find the
> certificate for a user ?
> With PKCS11 you can match the certificate with the public and private key,
> in openssl/engine you can get hold of _one_ public key and _one_ private
> key. But there is no associated certificate.
> There are pkcs#11 modules implemented using openssl (see soft-token and
> gpkcs11), so that isn't really and issue. They just need engine support and
> that is no hard to write.
I try to dig myself into the code and go through the - hopefully -
easier way to make opensc work using the opensc engine. If that target
is reached I will focus on the pkcs11 issue as it seems to be a much
more usable solution for long term.
> opensc have both a opensc pkcs11 openssl engine and and "pure" openssl
> engine. It was with the opensc pkcs11 openssl engine I tested the openssl
> engine code for Heimdal I wrote yestoday using soft-token.
> That said, did you get around to testing my new code, it should do what you
> want. I'll try to improve the error messages when I reinstall my test host
> and move the smartcard reader there.
I've built both the yesterday heimdal snapshots and soft-pkcs11 and
tested them. I like them!:)
>>or something prevents it?
> That prevents it is what configuration sucks.
> kinit -C ENGINE:ENGINE=dynamic,PRE=SO_PATH:/usr/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/lib/opensc/soft-pkcs11.so:CERT=/path/lha.crt,KEY=slot_0 lha@N.L.NXS.SE
> this can be shorted to
> pkinit-openssl-engine = ENGINE=dynamic,PRE=SO_PATH:/usr/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/lib/opensc/soft-pkcs11.so
> kinit -C ENGINE:CERT=/path/lha.crt,KEY=slot_0 lha@N.L.NXS.SE
> What I want is something like:
> pkinit-key-search-path = PKCS11:/path/module.so,[slot=3]
> pkinit-key-search-path = PKCS12:$HOME/.kinit.pfx
> pkinit-key-search-path = PEM:$HOME/.kinit.pem,$HOME/.kinit.key
> kinit --pkinit lha@N.L.NXS.SE
> and the code figures out what cert to use, using friendlyname, pkinit
> extended keyusage, pkinit altsubjectname, or just guessing first usable
> avaible certificate/key pair.
Nice. I'll do what I can.
p.s.: I use the 20041004 snapshots. Should I build every day the new
snapshot or there will be no major changes in the code?