On Mon, 2016-02-22 at 12:52 +0100, Richard Levitte wrote: > > That takes me back to crypto/store, which is currently removed in > master but which I have a rework of in a branch, which is meant to > solve this exact problem, but without being exclusively tied to > PKCS#11. The design is to have it work with engine backends, and a > PKCS#11 engine that's part of OpenSSL would fit that bill, so to say.
That seems ideal. The TPM ENGINE could benefit from it too. I'd really like to look at this from the *application* developer's point of view. Please clear your mind of any internal OpenSSL knowledge and context, and take a look at the OpenConnect VPN client, and the various hoops it has to jump through to load a certificate: http://git.infradead.org/users/dwmw2/openconnect.git/blob/v7.06:/openssl.c#l261 through to the main load_certificate() function which ends at line 916. (You can ignore the entire contents of openssl-pkcs11.c for now.) Even if you discount the TPM and PKCS#11 parts, it's bad enough for just loading certificates from a file. We force the *application* to inspect the file that the user asked it to use, and work out what kind of file it is. And then even the handling of the *passphrase* is different according to what kind of file it is — PKCS#12 functions need the password handed in, while PEM functions are given a callback function instead. And don't even *talk* to me about the horridness with the TPM's UI having no way to pass through any opaque data to the callback, and the need for that 'static struct openconnect_info *ui_vpninfo' at line 276. Actually, do talk to me about that. Let's fix it before 1.1? We desperately need to provide applications with a function that silently Does The Right Thing, when given a filename or a PKCS#11 URI or whatever other string a user might put reasonably put into a config file to specify a certificate/key. > Shall we talk? Absolutely :) -- David Woodhouse Open Source Technology Centre [email protected] Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
