Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Simon Josefsson <simon <at> josefsson.org>
Subject: Gnutls 1.7.8.p11.1
Newsgroups: gmane.comp.encryption.gpg.gnutls.devel
Date: Tuesday 8th May 2007 10:24:28 UTC (over 10 years ago)
Here is the second release on the PKCS#11 branch.  This release is the
first to actually support external signing operations.  The included
PKCS#11 wrapper can be used to as the callback to offload signing to a
smartcard, see how gnutls-cli (src/cli.c) for examples on how to do
this.  Note that the code needs to be cleaned up, and likely contains
bugs.  I wanted to get this release out as fast as possible to reach
testers.

The NEWS entry is:

* Version 1.7.8.p11.1 (released 2007-05-08)

** Add new API to perform private key operations.
Use the new API gnutls_set_sign_function to set a callback function
that is responsible for performing the signing operation.  The
callback must follow the gnutls_sign_func prototype:

  typedef int (*gnutls_sign_func) (gnutls_session_t session,
				   gnutls_datum_t * cert,
				   const gnutls_datum_t * hash_concat,
				   gnutls_datum_t * signature);

** Add new APIs to get all user certificates from PKCS#11 provider.
The gnutls_pkcs11_get_user_certificates looks for private keys, and
returns certificates that have the same CKA_ID attribute.

** Add new API to perform signing via the PKCS#11 library.
The function can be used by a gnutls_sign_func callback to off-load
signing the operation to a PKCS#11 provider.  Currently the limitation
is that it doesn't support multiple private keys on the smart card (it
doesn't check whether the certificate used for signing corresponds to
the private key used).

** Improved PKCS#11 support in gnutls-cli tool.
It will automatically try to load CA certificates (implemented in the
last release) and user certificates (new in this release), and
off-loads the signing operations to the PKCS#11 backend.

** API and ABI modifications:
gnutls_pkcs11_get_user_certificates: ADD.
gnutls_pkcs11_sign: ADD.
gnutls_sign_func: ADD.
gnutls_set_sign_function: ADD.
gnutls_get_sign_function: ADD.

Warning!  This is even more experimental than the experimental 1.7.x
branch.  However, the changes compared to 1.7.8 are intentionally kept
minimal, to facilitate easy merging later on.

The support is limited to:

1) Support for build-time linking to the PKCS#11 provider scute, see
   http://www.scute.org/.

2) Retrieving trusted CA certificates from the PKCS#11 provider.

3) Retrieving user certificates from the PKCS#11 provider.

4) Provide a callback to perform signing operations.

5) Provide an API to perform PKCS#11 signing via the PKCS#11 provider.

To test it, you'll need to build scute 1.1.0, and set it up (try using
it in mozilla), which requires some reading, see the Scute manual.  I
generated new keys on an OpenPGP smartcard with gpg2 --edit-card and
gpgsm-gencert.sh, then signed the CSR with certtool using the GnuTLS
test CA, and imported the certificates using 'gpgsm --import'.

If someone can explain to me how I can test other PKCS#11 providers, I
can test them too.  Supporting the NSS soft token provider is an
important target.

The gnutls-cli tool in this release automatically import all CAs from
Scute, and will load the user certificates too, and invoke Scute for
signing.  Here is an output from running it against the GnuTLS test
server:

[email protected]:~/src/gnutls-pkcs11$ ~/src/gnutls-pkcs11/src/gnutls-cli --port
5556 test.gnutls.org --ctypes x509
Resolving 'test.gnutls.org'...
Connecting to '217.13.230.178:5556'...
- Received authorization data, format 01 of 59 bytes
  data:
546869732069732074686520582e3530392041747472696275746520436572746966696361746520617574686f72697a6174696f6e20646174610a
- Received authorization data, format 02 of 46 bytes
  data:
54686973206973207468652053414d4c20617373657274696f6e20617574686f72697a6174696f6e20646174610a
- Successfully sent 1 certificate(s) to server.
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'test.gnutls.org'.
 # valid since: Wed Apr 18 15:29:21 CEST 2007
 # expires at: Thu Apr 17 15:29:21 CEST 2008
 # fingerprint: 08:8B:4B:0F:68:88:4E:95:15:D6:AC:F6:B3:64:81:5B
 # Subject's DN: O=GnuTLS test server,CN=test.gnutls.org
 # Issuer's DN: CN=GnuTLS test CA


- Peer's certificate is trusted
- Version: TLS 1.2
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: DEFLATE
- Handshake was completed

- Simple Client Mode:

GET / HTTP/1.1

HTTP/1.0 200 OK
Content-type: text/html



This is http://www.gnu.org/software/gnutls">GNUTLS

Session ID: 403FF1B7889FD2BF9CA9E9B70120CFB7C01F1A08EC9FD2BF0100000000042B08

If your browser supports session resuming, then you should see the same session ID, when you press the reload button.

Server Name: test.gnutls.org

Ephemeral DH using prime of 1032 bits.

Protocol version:TLS 1.2
Certificate Type:X.509
Key Exchange:DHE RSA
CompressionDEFLATE
CipherAES 256 CBC
MACSHA
CiphersuiteDHE_RSA_AES_256_CBC_SHA1


X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 4628a165
        Issuer: CN=GnuTLS test CA
        Validity:
                Not Before: Fri Apr 20 11:17:59 UTC 2007
                Not After: Wed Oct 17 11:18:02 UTC 2007
        Subject: O=Simon Josefsson,CN=Test Key
        Subject Public Key Algorithm: RSA
                Modulus (bits 1024):
                        ad:9e:08:78:73:a7:19:b0:45:58:0f:77:df:68:52:1d
                        74:c3:06:ad:d4:01:8f:e7:73:a6:2b:9b:26:90:85:bc
                        5b:f1:8c:a4:6e:44:a4:f0:c0:51:79:05:05:7e:2c:35
                        4f:fc:de:72:7f:b5:35:6f:71:8d:24:58:ee:09:a1:ba
                        1b:59:c0:64:73:50:94:f0:4f:cc:20:46:24:f3:a5:c1
                        a2:e2:80:92:9e:62:48:d3:67:91:5f:51:9e:f6:1a:fb
                        f4:0a:5d:26:7e:04:2e:15:51:a8:22:28:87:07:ca:0f
                        6e:cb:a0:58:a1:35:8b:6e:cb:9f:e0:94:a2:89:ce:31
                Exponent:
                        86:6d:78:01
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Key Purpose (not critical):
                        TLS WWW Client.
                        TLS WWW Server.
                Subject Alternative Name (not critical):
                        DNSname: josefsson.org
                Key Usage (critical):
                        Digital signature.
                        Key encipherment.
                Subject Key Identifier (not critical):
                        b83879aed2d2f990c21a2732e2441c056ff9f9b1
                Authority Key Identifier (not critical):
                        e93c1cfbad926ee606a4562ca2e1c05327c8f295
        Signature Algorithm: RSA-SHA
        Signature:
                86:16:40:75:4a:75:c4:dd:1b:57:cf:de:d3:c8:3c:29
                31:a4:99:18:0e:86:9b:d6:5b:6d:7c:d4:1b:8c:a3:64
                de:e1:27:64:19:7c:22:2d:70:4a:11:d8:3f:b2:27:1b
                28:c5:92:d1:62:da:5a:15:4f:90:b3:d4:15:87:00:57
                a0:c8:9e:f1:96:e2:82:f2:d9:9f:4d:28:df:37:94:83
                bb:84:56:0f:06:f0:32:79:4a:38:46:e2:df:f3:16:cc
                35:da:1d:04:32:61:6f:da:e4:4d:3a:44:54:56:82:47
                6a:8e:c7:b7:79:e3:f3:1c:f2:b4:8d:ff:13:35:b9:3e
Other Information:
        MD5 fingerprint:
                c9132f91ca88ffba4d40c420570e2986
        SHA-1 fingerprint:
                bd5f80de63034ec9e2841e6309552e345c5f226f
        Public Key Id:
                b83879aed2d2f990c21a2732e2441c056ff9f9b1



Your HTTP header was:

- Peer has closed the GNUTLS connection [email protected]:~/src/gnutls-pkcs11$ To debug things, add a '-d 10' and you'll see some debug info. First loading the CA certificates: |<2>| PKCS#11 slot count 1 |<2>| PKCS#11 slot[1].description: `GnuPG Smart Card Daemon g10 Code GmbH ' |<2>| PKCS#11 slot[1].manufacturer: `g10 Code GmbH ' |<2>| PKCS#11 slot[1].token.label: `D2760001240101010001000005320000PPC Card Systems OpenPGP 00000532 ' |<2>| Adding CA certificate 1532B4BA5A8A7988CA264283591BA3A21C0BCC24 (0) |<2>| Skipping certificate BD5F80DE63034EC9E2841E6309552E345C5F226F (0/0) Then the user certificates: |<2>| PKCS#11 slot count 1 |<2>| PKCS#11 slot[1].description: `GnuPG Smart Card Daemon g10 Code GmbH ' |<2>| PKCS#11 slot[1].manufacturer: `g10 Code GmbH ' |<2>| PKCS#11 slot[1].token.label: `D2760001240101010001000005320000PPC Card Systems OpenPGP 00000532 ' |<2>| Added private key BD5F80DE63034EC9E2841E6309552E345C5F226F from slot 1 |<2>| Skipping certificate 1532B4BA5A8A7988CA264283591BA3A21C0BCC24 (1/0) |<2>| Adding user certificate BD5F80DE63034EC9E2841E6309552E345C5F226F - Successfully sent 1 certificate(s) to server. Then signing using the user certificate: |<2>| PKCS#11 slot count 1 |<2>| PKCS#11 slot[1].description: `GnuPG Smart Card Daemon g10 Code GmbH ' |<2>| PKCS#11 slot[1].manufacturer: `g10 Code GmbH ' |<2>| PKCS#11 slot[1].token.label: `D2760001240101010001000005320000PPC Card Systems OpenPGP 00000532 ' |<3>| HSK[8079ee0]: CERTIFICATE VERIFY was send [134 bytes] The 1532B4BA5A8A7988CA264283591BA3A21C0BCC24 certificate is the GnuTLS CA, and the BD5F80DE63034EC9E2841E6309552E345C5F226F certificate is my client certificate. Here are the compressed sources (4.3MB): ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.7.8.p11.1.tar.bz2 http://josefsson.org/gnutls/releases/pkcs11/gnutls-1.7.8.p11.1.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.7.8.p11.1.tar.bz2.sig http://josefsson.org/gnutls/releases/pkcs11/gnutls-1.7.8.p11.1.tar.bz2.sig Here are the SHA-1 and SHA-224 checksums: 0e9816d70d033af347ebb68509b515b885f9e8a5 gnutls-1.7.8.p11.1.tar.bz2 b02f2ce19e78229c01d368a84b4278b340dc7819 gnutls-1.7.8.p11.1.tar.bz2.sig 74b61d39fbfba38f61bce117e0af52a3340557d601ffb2d4e7fe85d9 gnutls-1.7.8.p11.1.tar.bz2 7b18d4502d202628971713363d33091dea398b49b9e386c9e0be3a01 gnutls-1.7.8.p11.1.tar.bz2.sig Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon
 
CD: 3ms