[PATCH 0/6] OpenSSL PKCS#11 improvements

David Woodhouse dwmw2 at infradead.org
Thu Dec 18 10:07:37 EST 2014


If we build with GnuTLS, PKCS#11 use is simple. You just put a standard
PKCS#11 URI¹ into the client_cert or private_key fields, and it Just
Works™. It'll search the PKCS#11 tokens which are enabled in the
system's p11-kit configuration, and find the object you require.
(It's not quite perfect though — it doesn't support using PKCS#11 for
ca_cert, and it doesn't support tokens that require a PIN. I may look at
those later.)

This set of patches fixes the OpenSSL side to behave similarly, so the
configuration is be the same regardless of which crypto library you
build against.

Now, all I need to do is provide something like the following in my
network config:

 client_cert="pkcs11:manufacturer=piv_II;id=%01"
 private_key="pkcs11:manufacturer=piv_II;id=%01"
 pin="123456"

These patches depend on some fixes to engine_pkcs11² in order to work,
but will fail gracefully if the old engine (or no engine) is found. The
old baroque OpenSSL-specific method of explicit configuration will also
continue to work, with both old and new engines.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation

¹ https://tools.ietf.org/html/draft-pechanec-pkcs11uri-16
² https://github.com/OpenSC/engine_pkcs11/pull/9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20141218/bd86be89/attachment.bin>


More information about the HostAP mailing list