Menu
▾
▴
[Opensc-devel] [engine_pkcs11] Various fixes and features
|
From: Petr P. <pet...@at...> - 2013-08-30 14:45:59
|
Hello, while testing TLS client authentication using a cryprographical token in my project (libisds over cURL over OpenSSL with Athena USB token under OpenSC), I found a lot of bugs in the engine_pkcs11 plug-in for OpenSSL. Some of the bugs are so serious that they prevent from using the token through OpenSSL and can lead even to a segmentation fault. So I deciced to fix them and post the pathes here in hope the engine_pkcs11 maintainer will review them and merge them. Here is a short description, patches will be sent as replies: [PATCH 1/9] Unify PIN freeing [PATCH 2/9] Free PIN storage where needed These two patches fix memory leaks when storing a PIN code. [PATCH 3/9] Use user interface correctly This fixes a crash (segmenation fault) when loading a private key. Current code could never use a PIN passed from OpenSSL because of wrong usage of the user interface call-back data. I send a fix to cURL library <http://thread.gmane.org/gmane.comp.web.curl.library/40222> too and I tested the colaboration between cURL and engine_pkcs11 successfully. [PATCH 4/9] Hexadecimal ID string contains colons A certificate/key object hexadecimal ID is printed with colons (ab:cd:..) everywhere. Let's allow engine_pkcs11 to recognize it. Contrary current parser expects the colons by can not recognize such string as an ID. I believe it was not possible to use the hexadecimal ID before. [PATCH 5/9] Find token if no slot was specified Identifier wihout a slot number (e.g. a plain ID) always resulted to slot number 0. This searches all slots now. [PATCH 6/9] Search for a certificate by a label Searching a certificate by a label did not work and worked differently than searching a key. This caused a lot of confusion why OpenSSL can locate the key but it cannot locate the certificate. [PATCH 7/9] Decouple loging into the token [PATCH 8/9] Implement ENGINE_load_ssl_client_cert() [PATCH 9/9] Add load_ssl_client_cert test These tree patches implement ENGINE_load_ssl_client_cert() interface which allows automatic negotion of client certificate in TLS authenticatinon. The ninth patch provides a test. -- Petr |
