Re: [gnutls-dev] sign callback for certificate authentication

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gnutls-dev] sign callback for certificate authentication

From:	Alon Bar-Lev
Subject:	Re: [gnutls-dev] sign callback for certificate authentication
Date:	Fri, 11 May 2007 20:38:06 +0300

On 5/11/07, Simon Josefsson <address@hidden> wrote:

Hi.  I'm making Scute an optional dependency on the branch now.


OK.
Just reference me to the place I can sync your modifications.

> BTW: Your API need to allow adding user data pointer so that callbacks
> will be able to access some private data.
I've added this too.


Great!

> BTW2: You should add cleanup callback, so that resources can be
> released on session end.
> http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001557.html

This seem to be bloat to me, since it offers no additional
functionality.  Applications can cleanup resources when they deinit the
particular GnuTLS session that uses the sign callback, can they not?


We would like to add a layer for application to use...
So except get certificate/credentials/whatever, the layer should be
able to free its resources.
So if we put this at gnutls_certificate_credentials_t we should have
gnutls_certificate_free_credentials() call callback cleanup so that
resources may be released.

So that user code will look like:
gnutls_pkcs11_set_certificate (gnutls_certificate_credentials_t *cred, <id>)

And that's it!

provider code will register sign callback, put certificate and
register clean callback.

I'm considering to change the APIs (see below), so I didn't want to
spend time discussing the changes for the next release now (otherwise I
wouldn't have time to release it today).

When I have time to write down my ideas about the changes that are
necessary -- the sign callback should be set per
gnutls_certificate_credential_t and not per session -- we can discuss
the new API.  However, I'm going to be busy for about 10 days so nothing
will happen until after that.

What should be possible for you with the upcoming p11.2 release is to
write a PKCS#11 interface that can be invoked via the sign callback.  I
hope that you will be able to test signing via the callback and some
PKCS#11 provider that you have until I come back.  Then we your
experience and the new API, finalize it and bring it back into the 1.7.x
branch.


Thanks!
Alon.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [gnutls-dev] sign callback for certificate authentication, Simon Josefsson, 2007/05/08
- Re: [gnutls-dev] sign callback for certificate authentication, Alon Bar-Lev, 2007/05/08
  - Re: [gnutls-dev] sign callback for certificate authentication, Simon Josefsson, 2007/05/14
    - Re: [gnutls-dev] sign callback for certificate authentication, Alon Bar-Lev <=
    - Re: [gnutls-dev] sign callback for certificate authentication, Simon Josefsson, 2007/05/14

Prev by Date: Re: [gnutls-dev] [opensc-devel] PKCS#11 for CryptoAPI
Next by Date: [gnutls-dev] [PATCH] Fixing OpenPGP keyring import (again)
Previous by thread: Re: [gnutls-dev] sign callback for certificate authentication
Next by thread: Re: [gnutls-dev] sign callback for certificate authentication
Index(es):
- Date
- Thread