[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit, openssl engines, and cert retrieval.

Love Hörnquist Åstrand wrote:

> "Geoff Elgey" <Geoff.Elgey@quest.com> writes:
>>>as I mentioned in earlier posts, I'm working on an openssl engine
>>>which will aquire a cert/key from a myproxy server using the
>>>"myproxy protocol"(not the pretiest thing in the world, but I digress).
>>A few weeks back I suggested removing the openssl engine dependency from
>>pkinit, and using instead a set of function pointers that perform the required
>>One such function (if I recall correctly) was "get_certificate_chain", which
>>returned STACK_OF(X509), which is exactly what you need to implement. It seems
>>to me like a kludge to force all mechanisms (PCKS#11, your "myproxy protocol",
>>etc) through the openssl engine (as you are now discovering).
> I think the idea is fine, but don't want to have any OpenSSL-structures in
> the Heimdal API. We need to use a API that is stable.

If you want a stable API, that would be PKCS#11. The Heimdal code could
call this directly and would mean it could drop the engine code.
You might also want to look at the OpenSC libp11 that is a helper lib
for applications to make it easier to use pkcs11.

> Love


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444