[
https://issues.apache.org/jira/browse/SERF-27?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15141385#comment-15141385
]
Brian P. HInz edited comment on SERF-27 at 2/10/16 6:21 PM:
------------------------------------------------------------
Thanks for responding Bert. In theory, that approach would still be valid as
long as the path to the client certificate is not specified as a PKCS11 URI.
The patch relies on functionality supplied by engine_pkcs11 (which in turn
relies on libp11), and p11-kit. I don't have any way to verify this, but it's
my understanding that all three of those can readily be built for win32 using
mingw, so hopefully using a PKCS11 URI also works on Windows platforms without
the need to patch & build OpenSSL (in that case, I don't know how/if the MS
CAPI fits into the picture at all...). I have successfully built otherwise
vanilla versions of both svn 1.7 and 1.8 on CentOS 6.6 and linked them against
serf 1.3.7 using this patch that both work with PKCS11 and PKCS12, just by
changing the value of ssl-client-cert-file from a file path to a pkcs11 uri.
A couple of notes for anyone testing this patch:
(1) I found a deadlock in the libp11 v0.3.1 thread safety code that gets
exposed by multi-threaded applications like serf. That has since been fixed
(commit c730ba6), but be aware of that if you are linking against libp11-0.3.1.
(2) Engine PKCS11 can parse PKCS11 URI identifiers such as object=<CKA_LABEL>
or id=<CKA_ID>, however it does so in a manner that adheres to RFC7512. This
means that you need to specify CKA_LABEL and CKA_ID attributes as percent
encoded strings (for example: id=%69%95%3E%5C%F4%BD%EC%91; ). Also, if you
want to use the object identifier, you must ensure that both of the
corresponding CKO_CERTIFICATE and CKO_PRIVATE_KEY objects have the same label.
You can not specify a URI with both an object identifier and an id and expect
it to work unless both objects have that CKA_LABEL or CKA_ID attribute (IIRC,
the label takes precedence).
was (Author: bphinz):
Thanks for responding Bert. In theory, that approach would still be valid as
long as the path to the client certificate is not specified as a PKCS11 URI.
The patch relies on functionality supplied by engine_pkcs11 (which in turn
relies on libp11), and p11-kit. I don't have any way to verify this, but it's
my understanding that all three of those can readily be built for win32 using
mingw, so hopefully using a PKCS11 URI also works on Windows platforms without
the need to patch & build OpenSSL (in that case, I don't know how/if the MS
CAPI fits into the picture at all...). I have successfully built otherwise
vanilla versions of both svn 1.7 and 1.8 on CentOS 6.6 and linked them against
serf 1.3.7 using this patch that both work with PKCS11 and PKCS12, just by
changing the value of ssl-client-cert-file from a file path to a pkcs11 uri.
A couple of notes for anyone testing this patch:
(1) I found a deadlock in the libp11 v0.3.1 thread safety code that gets
exposed by multi-threaded applications like serf. That has since been fixed
(commit c730ba6), but be aware of that if you are linking against libp11-0.3.1.
(2) Engine PKCS11 can parse PKCS11 URI identifiers such as object=<CKA_LABEL>
or id=<CKA_ID>, however it does so in a manner that adheres to RFC7512. This
means that you need to specify CKA_LABEL and CKA_ID attributes as percent
encoded strings (for example: id=%69%95%3E%5C%F4%BD%EC%91;). Also, if you want
to use the object identifier, you must ensure that both of the corresponding
CKO_CERTIFICATE and CKO_PRIVATE_KEY objects have the same label. You can not
specify a URI with both an object identifier and an id and expect it to work
unless both objects have that CKA_LABEL or CKA_ID attribute (IIRC, the label
takes precedence).
> support pcs11 / wincapi to get ssl client certificates from hardware security
> modules (smartcards)
> --------------------------------------------------------------------------------------------------
>
> Key: SERF-27
> URL: https://issues.apache.org/jira/browse/SERF-27
> Project: serf
> Issue Type: Bug
> Reporter: Serf Importer
> Labels: Priority-Medium, Type-Enhancement
> Attachments: serf-1.3.7-pkcs11.patch
>
>
> it would be nice if serf would provide a hook to configure cryptography
> modules for reading ssl client certificates of smartcards, the same as web
> browsers do.
> e.g. in mozilla firefox there is such a possibility in preferences -
> advanced - cryptography modules. e.g. in windows you may add a pkcs11 dll
> that way which then shows up when you list your certificates.
> some references migt be ssen on
> http://www.mail-archive.com/mozilla-crypto@mozilla.org/.
> Original issue reported by *rupert.thurner*
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
