[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pkinit, openssl engines, and cert retrieval.

To: "Douglas E. Engert" <deengert@anl.gov>, =?Windows-1252?Q?Love_H=F6rnquist_=C5strand?= <lha@kth.se>
Subject: RE: pkinit, openssl engines, and cert retrieval.
From: "Geoff Elgey" <Geoff.Elgey@quest.com>
Date: Sat, 22 Oct 2005 07:50:39 +1000
Cc: "Matthew N. Andrews" <matt@slackers.net>, <heimdal-discuss@sics.se>
Sender: owner-heimdal-discuss@sics.se
Thread-Index: AcXWb7lWVuFarrucTDKCwzGRY+ArIAAD3GWm
Thread-Topic: pkinit, openssl engines, and cert retrieval.

Title: RE: pkinit, openssl engines, and cert retrieval.

G'day,

>> A few weeks back I suggested removing the openssl engine dependency
>> from pkinit, and using instead a set of function pointers that perform
>> the required operations.
>>
>> One such function (if I recall correctly) was "get_certificate_chain",
>> which returned STACK_OF(X509), which is exactly what you need to
>> implement. It seems to me like a kludge to force all mechanisms
>> (PCKS#11, your "myproxy protocol", etc) through the openssl engine
>> (as you are now discovering).
>
> I think the idea is fine, but don't want to have any OpenSSL-structures in
> the Heimdal API. We need to use a API that is stable.

Recently I did just this, by removing the openssl code from Heimdal PKINIT. I modified my function pointers to use "Certificate" types rather than "X509" types, and added "sign" and "verify" function pointers.

Something like the following:

struct krb5_pki_id {
   /** Get the user's certificate chain */
int (*get_user_certificates)(krb5_pki_id *id,
                               Certificate **certificates,
                               size_t *num_certificates);

/** Sign some data */
int (*create_signature)(krb5_pki_id *id,
                          const heim_oid *algorithm,
                          const unsigned char *data,
                          size_t data_len,
                          unsigned char *signature,
                          size_t *signature_len);

/** Verify a signature */
int (*verify_signature)(krb5_pki_id *id,
                          const heim_oid *algorithm,
                          const unsigned char *data,
                          size_t data_len,
                          const unsigned char *signature,
                          size_t signature_len);

/** Verify a certificate path */
int (*verify_path)(krb5_pki_id *id,
                     const Certificate **certificates,
                     size_t num_certificates);
}

(I don't have my code with me at the moment, but I also added a function pointer for decrypting using the private key).

So code in PKINIT that called EVP_SignInit, EVP_SignUpdate, and EVP_SignFinal was replaced with a call to pki_id->create_signature(...), etc. I could also replace the code that used openssl big number handling for serial numbers.

I used two implementations: one that delegated to PKCS#11 and Openssl for the path verification, and one that used openssl and PEM-encoded files.

> If you want a stable API, that would be PKCS#11. The Heimdal
> code could call this directly and would mean it could drop the
> engine code. You might also want to look at the OpenSC libp11
> that is a helper lib for applications to make it easier to use
> pkcs11.

I think using PKCS#11 as the top level API in PKINIT is not the best approach. I'd prefer to use Heimdal types only, and delegate to PKCS#11 only if appropriate (using PEM-encoded files is an example).

-- Geoff

Prev by Date: Re: pkinit, openssl engines, and cert retrieval.
Next by Date: incompatibility between Heimdal GSSAPI and MIT GSSAPI for aes256-cts-hmac-sha1-96 credentials?
Prev by thread: Re: pkinit, openssl engines, and cert retrieval.
Next by thread: Tracing Failures in ASN.1 Stubs and General Heimdal Dev
Index(es):
- Date
- Thread