[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Splitting lib/krb5/pkinit.c
Looking around some more, I see that OpenSC has a libp11 that is
designed to be used by an application to load, and access pkcs11.so
It might be a better approach the the use of the engine directly.
There is a lot of e-mail on the OpenSC mailing list on this lately.
Geoff Elgey wrote:
> G'day,
>
>
>>Yes it is complex, and may be overkill. But rather then using the
>>engine, I would like to see PKCS11 used instead. The main use of
>>PKINIT will be with smart cards, and smart cards come with a
>>PKCS11. Browsers and other applications already know how to use
>>PKCS11, and smartcard vendors provide PKCS11 libs. If you look
>>close at the examples the engine code is loading and calling PKCS11.
>
>
> In fact I am also using PKCS#11, which is why I wanted to avoid creating an openssl engine. Personally, I would prefer to use the PKCS#11 API in PKINIT rather than openssl, as you suggest.
>
> However, I assumed in my proposal that openssl API was used in PKINIT for non-PKCS#11 use cases (such as loading keys and certificates from files). Also, the verification of the server's certificate required additional non-PKCS#11 information (such as the location of the trusted certificates directory). These two considerations lead me to a non-PKCS#11 API (although I am glad to change this).
>
>
>>>Examination of the PKINIT code reveals that the following
>>>information is required from the user:
>>>
>>> * the user's private key
>>
>>Not really the private key, but access to the signing function that
>>can use the key. With a smartcard, the key never leaves the card.
>
>
> True. I did think about proposing a "sign" and "verify" abstraction (as per the PKCS#11 API). However, my aim was to keep as much of the original API used in Heimdal PKINIT as possible, which meant using the openssl EVP_PKEY type. I wrote some code that creates an EVP_PKEY which delegates to PKCS#11. Of course, using PKCS#11 in the first place would have been simpler.
>
> re: obtaining trusted certificates
>
>
>>This is the standard OpenSSL way of handling trust certificates.
>>Since they need to be trusted by the local system there may be
>>security risks in fetching them from a URL.
>
>
> True. However, the point is to provide an alternative, if required.
>
> re: creating a krb5_pki_identity implementation
>
>
>>No don't put this burden on the applicaiton. Using PKCS11 makes
>>a lot more sense. It depends on what is in your krb5_pki_identity.
>>If its a pointer to the pkcs11 lib to use, then OK.
>
>
> My krb5_pki_identity implementation does use PCKS#11 (although it then creates openssl EVP_PKEY and X509 types delegating to the PKCS#11 instance).
>
>
>>If the engine to pkcs11 code was removed, and replaced with
>>pkcs11 calls from PKINIT then that would simplify and standardize
>>the interface.
>
>
> I agree. The use of PKCS#11 calls only in the Heimdal PKINIT implementation has my full support. However, if an openssl interface is required, then a PKCS#11-to-openssl implementation of krb5_pki_identity may be provided.
>
> -- Geoff
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444