[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal pkinit compiling on debian

To: lukeh@PADL.COM
Subject: Re: heimdal pkinit compiling on debian
From: "Prágai, Róbert" <pragai@rubin.hu>
Date: Mon, 04 Oct 2004 10:24:56 +0200
Cc: lha@stacken.kth.se, heimdal-discuss@sics.se
In-Reply-To: <200410030057.i930vXMq070238@au.padl.com>
References: <200410030057.i930vXMq070238@au.padl.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803

Hi,


>>I plan to include support for OpenSC smartcard library to use smartcards 
>>for PKINIT. It does not seem to be too hard if I understand the code 
>>well: basically I should modify the _krb5_pk_load_openssl_id function, 
>>which loads the private key and the certificate and the 
>>_krb5_pk_create_sign function which creates the signature needed for 
>>authentication.
> 
> 
> Is it possible to implement within OpenSSL itself?

	Using OpenSSL engines, I guess so.
> 
> 
>>- As there will be no "loading of private key" as there is practically 
>>no way to get the private key out of the card, is there a common way to 
>>notify the _krb5_pk_create_sign function that the signature creation 
>>should be done in a different way? Or should I invent a new method?
>>- Is it OK if I use a new #define statement in the config.h like
>>#define UseOpenSC 1
>>,as PKINIT works this way?
> 
> 
> The less #ifdefs the better, would be preferable for this to be 
> configurable at runtime to the extent possible.

	OK.

Robert

> 
> -- Luke
> 
> --
>

References:
- Re: heimdal pkinit compiling on debian
  - From: Luke Howard <lukeh@PADL.COM>

Prev by Date: Sendmail GSSAPI fails
Next by Date: Re: heimdal pkinit compiling on debian
Prev by thread: Re: heimdal pkinit compiling on debian
Next by thread: MIT & Heimdal playing together?
Index(es):
- Date
- Thread