On Mon, Nov 27, 2006 at 07:46:17PM +0200, Alon Bar-Lev wrote: > On 11/27/06, Joe Orton <[EMAIL PROTECTED]> wrote: > >Hi Alon, > > > >I'm definitely interested in seeing the neon SSL API extended to be able > >to handle hardware tokens. The intent is that new interfaces could be > >added to support this stuff, certainly. > > I am glad! > BTW: Something wrong with the list, I cannot subscribe.
The box running mailman currently has a large backlog of mail it's chewing through - it should catch up eventually :( > >How would this work at OpenSSL level? (i.e. what is the interface to > >OpenSSL to do this; a callback is registered?) > > pkcs11-helper can extract the X509 certificate and RSA of private key. > It registers the RSA callbacks and perform private key operations. OK, thanks for explaining that. > And if you wish to be nice to users, you can enumerate existing > certificates, I don't know how much you wish the API to be flexible... > In order to display the user a set of available certificates you need > to enumerate objects: > > list = pkcs11h_certificate_enumCertificateIds () It sounds like it would be useful to expose that too. > Well... The callbacks should be common to sessions... And I think you > should add such callback to PKCS#12 as well, when user should be > prompted for passphrase. Do you mean common to *all* sessions; does the library require that to be so? This means process-global state! > Also there should be a way to specify somekind of configuration, for > example which providers to load, provider specific parameters etc... This is where supporting hardware tokens generally gets really awkward - providers will be process-global state, is that correct? Regards, joe _______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
