[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pkinit, openssl engines, and cert retrieval.

Title: RE: pkinit, openssl engines, and cert retrieval.


>> A few weeks back I suggested removing the openssl engine dependency
>> from pkinit, and using instead a set of function pointers that perform
>> the required operations.
>> One such function (if I recall correctly) was "get_certificate_chain",
>> which returned STACK_OF(X509), which is exactly what you need to
>> implement. It seems to me like a kludge to force all mechanisms
>> (PCKS#11, your "myproxy protocol", etc) through the openssl engine
>> (as you are now discovering).
> I think the idea is fine, but don't want to have any OpenSSL-structures in
> the Heimdal API. We need to use a API that is stable.

Recently I did just this, by removing the openssl code from Heimdal PKINIT. I modified my function pointers to use "Certificate" types rather than "X509" types, and added "sign" and "verify" function pointers.

Something like the following:

struct krb5_pki_id {
   /** Get the user's certificate chain */
  int (*get_user_certificates)(krb5_pki_id *id,
                               Certificate **certificates,
                               size_t *num_certificates);
  /** Sign some data */
  int (*create_signature)(krb5_pki_id *id,
                          const heim_oid *algorithm,
                          const unsigned char *data,
                          size_t data_len,
                          unsigned char *signature,
                          size_t *signature_len);
  /** Verify a signature */
  int (*verify_signature)(krb5_pki_id *id,
                          const heim_oid *algorithm,
                          const unsigned char *data,
                          size_t data_len,
                          const unsigned char *signature,
                          size_t signature_len);

  /** Verify a certificate path */
  int (*verify_path)(krb5_pki_id *id,
                     const Certificate **certificates,
                     size_t num_certificates);

(I don't have my code with me at the moment, but I also added a function pointer for decrypting using the private key).

So code in PKINIT that called EVP_SignInit, EVP_SignUpdate, and EVP_SignFinal was replaced with a call to pki_id->create_signature(...), etc. I could also replace the code that used openssl big number handling for serial numbers.

I used two implementations: one that delegated to PKCS#11 and Openssl for the path verification, and one that used openssl and PEM-encoded files.

> If you want a stable API, that would be PKCS#11. The Heimdal
> code could call this directly and would mean it could drop the
> engine code. You might also want to look at the OpenSC libp11
> that is a helper lib for applications to make it easier to use
> pkcs11.

I think using PKCS#11 as the top level API in PKINIT is not the best approach. I'd prefer to use Heimdal types only, and delegate to PKCS#11 only if appropriate (using PEM-encoded files is an example).

-- Geoff