common pkcs11 library? [u]

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

common pkcs11 library? [u]

Andreas Jellinghaus-2
Hi,

using pkcs11 API isn't that easy. I wonder if we could
create a common library to make that easier?

pam_pkcs11 has many useful functions that could be used
in other apps, too.

opensc has those sslengine/p11_*.c files with functions
to make using pkcs11 api easier.

putty more or less uses that code, too, or could be moved
to use that code.

gtkcard needs an extra layer of indirection, so it can load
pkcs11 libraries at runtime and use their functions.

So I wonder: before we start hacking yet another abstraction
for gtkcard to make it work, can we maybe use the existing
code of one of those apps to create a generic layer on
top of pkcs11?

I haven't written any real world code using pkcs11 api,
so I better ask those who have :) What do you think?

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: common pkcs11 library? [u]

Ludovic Rousseau
On 27/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> using pkcs11 API isn't that easy. I wonder if we could
> create a common library to make that easier?

What would this API look like?

I had a look at the opensc/src/sslengines/p11_* files and I think it
would be a very good starting point.
work to do:
- remove or make optional OpenSSL dependency (mainly the use of
OpenSSL memory functions and p11_rsa.c)
- package as an independent library
- find a name :-)

One problem with the p11_* files is that some of them use the OpenSSL
licence and this licence is incompatible with GNU GPL. See [1].

Olaf Kirch seems to be the main author of these files. Olaf, is it
your own code or a reuse of some OpenSSL code? Would it be possible to
change the licence and use a dual licence OpenSSL/LGPL or something
like that?

Another solution would be to use a modified [L]GPL licence for the
application using the lib. See [2].

Bye,

[1] http://www.fsf.org/licensing/licenses/index_html#OpenSSL
|2] http://www.gnome.org/~markmc/openssl-and-the-gpl.html

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: common pkcs11 library? [u]

Andreas Jellinghaus-2
On Tuesday 28 June 2005 12:04, Ludovic Rousseau wrote:
> I had a look at the opensc/src/sslengines/p11_* files and I think it
> would be a very good starting point.
> work to do:
> - remove or make optional OpenSSL dependency (mainly the use of
> OpenSSL memory functions and p11_rsa.c)

I don't know what the best way to proceed here is.
the use case is: ther is some app using crypto already.
now we want to change that app to use smart cards as
alternative to key files.

so we might need to have several libraries (they can share
lots of code): one in openssl flavor, one in gnutls flavor,
and one in libnss, etc. so whatever the existing app uses
it should be easy to add smart card support.

> - package as an independent library
binary package: I agree.
but source? I'm not sure. because I think the regression tests we have
a very important, and I would like to add more of them to also cover
the openssl engines functionality. and the pkc11 engine will use that
library.

> - find a name :-)

libezp11? libeasy11? libsimple-wrapper-on-top-of-pkc11?
add -openssl -gnutls -nss?

> One problem with the p11_* files is that some of them use the OpenSSL
> licence and this licence is incompatible with GNU GPL. See [1].
>
> Olaf Kirch seems to be the main author of these files. Olaf, is it
> your own code or a reuse of some OpenSSL code? Would it be possible to
> change the licence and use a dual licence OpenSSL/LGPL or something
> like that?

I think it was olafs code, and I think he already acked an bsd for it
long time ago, when kevin stefanik started to use it for the pkcs11 engine.
either we can find that mail in the ML archives, or ask him again.

for the openssl variant we don't need to care, as the target apps use openssl
already. but it is important we can write an gnutls version for gnutls users,
too, and id would need to be without openssl copyright and unde lgpl license.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel