[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal pkinit compiling on debian


> Cryptographic Message Syntax, RFC3369 (aka PKCS7) encryption/signing with
> secret and private/public keys. PKINIT (and S/MIME) uses it to encrypt/sign
> data.
> My CMS implementation is somewhat independed of the using what crypto
> subsystem, but changes the view on certificates and keys to a more
> certificates centered operation mode.

	I see.

> The problem is the following, how do you as an application find the
> certificate for a user ?
> With PKCS11 you can match the certificate with the public and private key,
> in openssl/engine you can get hold of _one_ public key and _one_ private
> key. But there is no associated certificate.
> There are pkcs#11 modules implemented using openssl (see soft-token and
> gpkcs11), so that isn't really and issue. They just need engine support and
> that is no hard to write.

	I try to dig myself into the code and go through the - hopefully - 
easier way to make opensc work using the opensc engine. If that target 
is reached I will focus on the pkcs11 issue as it seems to be a much 
more usable solution for long term.

> opensc have both a opensc pkcs11 openssl engine and and "pure" openssl
> engine. It was with the opensc pkcs11 openssl engine I tested the openssl
> engine code for Heimdal I wrote yestoday using soft-token.
> That said, did you get around to testing my new code, it should do what you
> want. I'll try to improve the error messages when I reinstall my test host
> and move the smartcard reader there.

	I've built both the yesterday heimdal snapshots and soft-pkcs11 and 
tested them. I like them!:)

>>or something prevents it?
> That prevents it is what configuration sucks.
> kinit -C ENGINE:ENGINE=dynamic,PRE=SO_PATH:/usr/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/lib/opensc/soft-pkcs11.so:CERT=/path/lha.crt,KEY=slot_0 lha@N.L.NXS.SE
> this can be shorted to
> [libdefaults]
> 	pkinit-openssl-engine = ENGINE=dynamic,PRE=SO_PATH:/usr/lib/opensc/engine_pkcs11.so,PRE=ID:pkcs11,PRE=LIST_ADD:1,PRE=LOAD,PRE=MODULE_PATH:/usr/lib/opensc/soft-pkcs11.so
> kinit -C ENGINE:CERT=/path/lha.crt,KEY=slot_0 lha@N.L.NXS.SE
> What I want is something like:
> [libdefaults]
>         pkinit-key-search-path = PKCS11:/path/module.so,[slot=3]
>         pkinit-key-search-path = PKCS12:$HOME/.kinit.pfx
>         pkinit-key-search-path = PEM:$HOME/.kinit.pem,$HOME/.kinit.key
> kinit --pkinit lha@N.L.NXS.SE
> and the code figures out what cert to use, using friendlyname, pkinit
> extended keyusage, pkinit altsubjectname, or just guessing first usable
> avaible certificate/key pair.

	Nice. I'll do what I can.


p.s.: I use the 20041004 snapshots. Should I build every day the new 
snapshot or there will be no major changes in the code?