[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pkinit, openssl engines, and cert retrieval.

To: "Matthew N. Andrews" <matt@slackers.net>, <heimdal-discuss@sics.se>
Subject: RE: pkinit, openssl engines, and cert retrieval.
From: "Geoff Elgey" <Geoff.Elgey@quest.com>
Date: Thu, 20 Oct 2005 09:35:23 +1000
Sender: owner-heimdal-discuss@sics.se
Thread-Index: AcXU5PTPrhEMMNgfSNy3+k9e0/O5HQAH2pm8
Thread-Topic: pkinit, openssl engines, and cert retrieval.

Title: RE: pkinit, openssl engines, and cert retrieval.

G'day,

> as I mentioned in earlier posts, I'm working on an openssl engine
> which will aquire a cert/key from a myproxy server using the
> "myproxy protocol"(not the pretiest thing in the world, but I digress).

A few weeks back I suggested removing the openssl engine dependency from pkinit, and using instead a set of function pointers that perform the required operations.

One such function (if I recall correctly) was "get_certificate_chain", which returned STACK_OF(X509), which is exactly what you need to implement. It seems to me like a kludge to force all mechanisms (PCKS#11, your "myproxy protocol", etc) through the openssl engine (as you are now discovering).

The one advantage of using the openssl engine is that the engine can be configured from a string. But this seems simple enough to implement for any kerberos PKI mechanism as well.

-- Geoff

Follow-Ups:
- Re: pkinit, openssl engines, and cert retrieval.
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: pkinit, openssl engines, and cert retrieval.
Next by Date: Re: GetMic and Windows
Prev by thread: pkinit, openssl engines, and cert retrieval.
Next by thread: Re: pkinit, openssl engines, and cert retrieval.
Index(es):
- Date
- Thread