Hi Alon,
I'm definitely interested in seeing the neon SSL API extended to be able
to handle hardware tokens. The intent is that new interfaces could be
added to support this stuff, certainly.
On Sat, Nov 25, 2006 at 09:17:44PM +0200, Alon Bar-Lev wrote:
> Smartcards are dynamic, they can be insert/removed and applications
> should not cache the user PIN (You use smartcard since you want more
> security... :) ).
>
> So if you open TLS session, and remove/insert your card, when
> key-renegotiation time arrives, the user should be prompted for PIN
> (passphrase).
How would this work at OpenSSL level? (i.e. what is the interface to
OpenSSL to do this; a callback is registered?)
> Also if you remove token and key-renegotiation time arrives, the user
> should be prompted to insert his card.
>
> Selecting the right key is based on an a serialized id, so a new
> method can be added, something like:
How would the user select such an ID? Is this something which would
specified in the application configuration?
> ne_ssl_client_cert *ne_ssl_clicert_read_by_type(const char *type,
> const char *value);
>
> If type is "pkcs12" it will read a file, if type is "pkcs11" it will
> use key on a smartcard.
It's better to simply add a new API call for this which has the new
semantics. e.g.
ne_ssl_client_cert *ne_ssl_clicert_hwtoken(const char *id);
> So basically two callbacks need to be added to neon interface:
> - token prompt callback - called when device is unavailable.
> - passphrase prompt callback - called when access to private data need
> passphrase. Can also be used for pkcs12 files.
The interface to OpenSSL requires that both of these actions are
implemented as callbacks, is that right?
This could be done by making the ne_ssl_clicert_hwtoken() interface take
an a callback argument, maybe something like:
ne_ssl_client_cert *ne_ssl_clicert_hwtoken(const char *id,
ne_ssl_clicert_token_cb callback, void *userdata);
Would something like that make sense?
Regards,
joe
_______________________________________________
neon mailing list
[email protected]
http://mailman.webdav.org/mailman/listinfo/neon
