Menu
▾
▴
Re: [Opensc-devel] [engine_pkcs11] Various fixes and features
|
From: Douglas E. E. <dee...@an...> - 2013-09-10 15:29:05
|
Looks like it is time for some overhaul of engine_pkcs11... You have some good patches here. The OpenSC code including the engine_pkcs11 is maintained at https://github.com/OpenSC The best way to get these patches added would be to fork the https://github.com/OpenSC/engine_pkcs11 add your patches to your fork, and submit pull requests. Anthony Foiani also has forked engine_pkcs11 and his changes also look good too, so you may want to build with his mods as well. I also have mods to engine_pkcs11 for doing ECDSA, which has been on the back burner since 2011. I have recently been helping Sanaullah to get these working with softhsm. (I have been waiting for OpenSSL bug report #2459 02/23/2011 to be addressed. I might have a way to get around this, or at least get the OpenSSL's attention.) I am getting ready to submit these engine_patches, and would like use both yours and Anthony's patches. On 8/30/2013 9:45 AM, Petr Písař wrote: > Hello, > > while testing TLS client authentication using a cryprographical token in my > project (libisds over cURL over OpenSSL with Athena USB token under OpenSC), > I found a lot of bugs in the engine_pkcs11 plug-in for OpenSSL. > > Some of the bugs are so serious that they prevent from using the token through > OpenSSL and can lead even to a segmentation fault. So I deciced to fix them > and post the pathes here in hope the engine_pkcs11 maintainer will review them > and merge them. > > Here is a short description, patches will be sent as replies: > > [PATCH 1/9] Unify PIN freeing > [PATCH 2/9] Free PIN storage where needed > > These two patches fix memory leaks when storing a PIN code. > > [PATCH 3/9] Use user interface correctly > > This fixes a crash (segmenation fault) when loading a private key. Current > code could never use a PIN passed from OpenSSL because of wrong usage of the > user interface call-back data. I send a fix to cURL library > <http://thread.gmane.org/gmane.comp.web.curl.library/40222> too and I tested > the colaboration between cURL and engine_pkcs11 successfully. > > [PATCH 4/9] Hexadecimal ID string contains colons > > A certificate/key object hexadecimal ID is printed with colons (ab:cd:..) > everywhere. Let's allow engine_pkcs11 to recognize it. Contrary current parser > expects the colons by can not recognize such string as an ID. I believe it > was not possible to use the hexadecimal ID before. > > [PATCH 5/9] Find token if no slot was specified > > Identifier wihout a slot number (e.g. a plain ID) always resulted to slot > number 0. This searches all slots now. > > [PATCH 6/9] Search for a certificate by a label > > Searching a certificate by a label did not work and worked differently than > searching a key. This caused a lot of confusion why OpenSSL can locate the key > but it cannot locate the certificate. > > [PATCH 7/9] Decouple loging into the token > [PATCH 8/9] Implement ENGINE_load_ssl_client_cert() > [PATCH 9/9] Add load_ssl_client_cert test > > These tree patches implement ENGINE_load_ssl_client_cert() interface which > allows automatic negotion of client certificate in TLS authenticatinon. The > ninth patch provides a test. > > -- Petr > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
