On 11/30/06, Joe Orton <[EMAIL PROTECTED]> wrote:
Well, I hope you really mean "current implementations of PKCS#11 use global context" unless this really does derive from the standard itself.
The PKCS#11 standard loads a library and call C_Initialize (), the C_Initialize initialize the interface for the whole process.
It's quite possible to use dynamically loaded modules with a non-process-global context in general.
Well... That's correct, but in case of smartcards, you really don't want to create a separate instance of data to each instance. For example, if the user authenticate to the smartcard, you want all instances to be authentication, and there is an issue with object caching, smartcards are slow devices, without a global context you end up with none responsive system.
But either way, in this case, I don't think there is much value in neon wrapping such interfaces. neon could probably somehow expose an interface like:
I don't understand why. Can you please explain... The following is an example of a patch for openssh that enable PKCS#11 integration via OpenSSL. http://alon.barlev.googlepages.com/openssh-4.5p1pkcs11-0.18.patch.bz2 The following implementation is for OpenVPN: http://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21-external-pkcs11-helper/openvpn/pkcs11.c The following is for QCA (Future KDE crypto), it does not work via OpenSSL, it abstracts the usage: http://websvn.kde.org/trunk/kdesupport/qca/plugins/qca-pkcs11/
ne_ssl_client_cert *ne_ssl_clicert_native(X509 *cert, EVP_PKEY *pkey); which will let the application deal with the global stuff appropriately and then pass in the client cert, although this breaks the abstraction of the SSL toolkit and will require some buildsystem munging.
This will work... But as you said it will break the abstraction. I don't understand why neon cannot handle the use of the PKCS#11 stuff for the application... What exactly is the problem with the global callbacks? Maybe I can work something out. Best Regards, Alon Bar-Lev. _______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
