[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit, openssl engines, and cert retrieval.

"Geoff Elgey" <Geoff.Elgey@quest.com> writes:

> G'day,
>> as I mentioned in earlier posts, I'm working on an openssl engine
>> which will aquire a cert/key from a myproxy server using the
>> "myproxy protocol"(not the pretiest thing in the world, but I digress).
> A few weeks back I suggested removing the openssl engine dependency from
> pkinit, and using instead a set of function pointers that perform the required
> operations.
> One such function (if I recall correctly) was "get_certificate_chain", which
> returned STACK_OF(X509), which is exactly what you need to implement. It seems
> to me like a kludge to force all mechanisms (PCKS#11, your "myproxy protocol",
> etc) through the openssl engine (as you are now discovering).

I think the idea is fine, but don't want to have any OpenSSL-structures in
the Heimdal API. We need to use a API that is stable.


PGP signature