[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pkinit, openssl engines, and cert retrieval.

Title: RE: pkinit, openssl engines, and cert retrieval.


> as I mentioned in earlier posts, I'm working on an openssl engine
> which will aquire a cert/key from a myproxy server using the
> "myproxy protocol"(not the pretiest thing in the world, but I digress).

A few weeks back I suggested removing the openssl engine dependency from pkinit, and using instead a set of function pointers that perform the required operations.

One such function (if I recall correctly) was "get_certificate_chain", which returned STACK_OF(X509), which is exactly what you need to implement. It seems to me like a kludge to force all mechanisms (PCKS#11, your "myproxy protocol", etc) through the openssl engine (as you are now discovering).

The one advantage of using the openssl engine is that the engine can be configured from a string. But this seems simple enough to implement for any kerberos PKI mechanism as well.

-- Geoff