[openssl-dev] Ubsec and Chil engines
David Woodhouse
dwmw2 at infradead.org
Mon Feb 22 12:21:55 UTC 2016
On Mon, 2016-02-22 at 12:52 +0100, Richard Levitte wrote:
>
> That takes me back to crypto/store, which is currently removed in
> master but which I have a rework of in a branch, which is meant to
> solve this exact problem, but without being exclusively tied to
> PKCS#11. The design is to have it work with engine backends, and a
> PKCS#11 engine that's part of OpenSSL would fit that bill, so to say.
That seems ideal. The TPM ENGINE could benefit from it too.
I'd really like to look at this from the *application* developer's
point of view.
Please clear your mind of any internal OpenSSL knowledge and context,
and take a look at the OpenConnect VPN client, and the various hoops it
has to jump through to load a certificate:
http://git.infradead.org/users/dwmw2/openconnect.git/blob/v7.06:/openssl.c#l261
through to the main load_certificate() function which ends at line
916.
(You can ignore the entire contents of openssl-pkcs11.c for now.)
Even if you discount the TPM and PKCS#11 parts, it's bad enough for
just loading certificates from a file. We force the *application* to
inspect the file that the user asked it to use, and work out what kind
of file it is. And then even the handling of the *passphrase* is
different according to what kind of file it is — PKCS#12 functions need
the password handed in, while PEM functions are given a callback
function instead.
And don't even *talk* to me about the horridness with the TPM's UI
having no way to pass through any opaque data to the callback, and the
need for that 'static struct openconnect_info *ui_vpninfo' at line 276.
Actually, do talk to me about that. Let's fix it before 1.1?
We desperately need to provide applications with a function that
silently Does The Right Thing, when given a filename or a PKCS#11 URI
or whatever other string a user might put reasonably put into a config
file to specify a certificate/key.
> Shall we talk?
Absolutely :)
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160222/7de3db78/attachment.bin>
More information about the openssl-dev
mailing list