serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian P. HInz (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SERF-27) support pcs11 / wincapi to get ssl client certificates from hardware security modules (smartcards)
Date Wed, 10 Feb 2016 18:22:18 GMT

    [ https://issues.apache.org/jira/browse/SERF-27?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15141385#comment-15141385
] 

Brian P. HInz edited comment on SERF-27 at 2/10/16 6:21 PM:
------------------------------------------------------------

Thanks for responding Bert.  In theory, that approach would still be valid as long as the
path to the client certificate is not specified as a PKCS11 URI.  The patch relies on functionality
supplied by engine_pkcs11 (which in turn relies on libp11), and p11-kit.  I don't have any
way to verify this, but it's my understanding that all three of those can readily be built
for win32 using mingw, so hopefully using a PKCS11 URI also works on Windows platforms without
the need to patch & build OpenSSL (in that case, I don't know how/if the MS CAPI fits
into the picture at all...).  I have successfully built otherwise vanilla versions of both
svn 1.7 and 1.8 on CentOS 6.6 and linked them against serf 1.3.7 using this patch that both
work with PKCS11 and PKCS12, just by changing the value of ssl-client-cert-file from a file
path to a pkcs11 uri.

A couple of notes for anyone testing this patch:

(1) I found a deadlock in the libp11 v0.3.1 thread safety code that gets exposed by multi-threaded
applications like serf.  That has since been fixed (commit c730ba6), but be aware of that
if you are linking against libp11-0.3.1.

(2) Engine PKCS11 can parse PKCS11 URI identifiers such as object=<CKA_LABEL> or id=<CKA_ID>,
however it does so in a manner that adheres to RFC7512.  This means that you need to specify
CKA_LABEL and CKA_ID attributes as percent encoded strings (for example: id=%69%95%3E%5C%F4%BD%EC%91;
).  Also, if you want to use the object identifier, you must ensure that both of the corresponding
CKO_CERTIFICATE and CKO_PRIVATE_KEY objects have the same label.  You can not specify a URI
with both an object identifier and an id and expect it to work unless both objects have that
CKA_LABEL or CKA_ID attribute (IIRC, the label takes precedence).


was (Author: bphinz):
Thanks for responding Bert.  In theory, that approach would still be valid as long as the
path to the client certificate is not specified as a PKCS11 URI.  The patch relies on functionality
supplied by engine_pkcs11 (which in turn relies on libp11), and p11-kit.  I don't have any
way to verify this, but it's my understanding that all three of those can readily be built
for win32 using mingw, so hopefully using a PKCS11 URI also works on Windows platforms without
the need to patch & build OpenSSL (in that case, I don't know how/if the MS CAPI fits
into the picture at all...).  I have successfully built otherwise vanilla versions of both
svn 1.7 and 1.8 on CentOS 6.6 and linked them against serf 1.3.7 using this patch that both
work with PKCS11 and PKCS12, just by changing the value of ssl-client-cert-file from a file
path to a pkcs11 uri.

A couple of notes for anyone testing this patch:

(1) I found a deadlock in the libp11 v0.3.1 thread safety code that gets exposed by multi-threaded
applications like serf.  That has since been fixed (commit c730ba6), but be aware of that
if you are linking against libp11-0.3.1.

(2) Engine PKCS11 can parse PKCS11 URI identifiers such as object=<CKA_LABEL> or id=<CKA_ID>,
however it does so in a manner that adheres to RFC7512.  This means that you need to specify
CKA_LABEL and CKA_ID attributes as percent encoded strings (for example: id=%69%95%3E%5C%F4%BD%EC%91;).
 Also, if you want to use the object identifier, you must ensure that both of the corresponding
CKO_CERTIFICATE and CKO_PRIVATE_KEY objects have the same label.  You can not specify a URI
with both an object identifier and an id and expect it to work unless both objects have that
CKA_LABEL or CKA_ID attribute (IIRC, the label takes precedence).

> support pcs11 / wincapi to get ssl client certificates from hardware security modules
(smartcards)
> --------------------------------------------------------------------------------------------------
>
>                 Key: SERF-27
>                 URL: https://issues.apache.org/jira/browse/SERF-27
>             Project: serf
>          Issue Type: Bug
>            Reporter: Serf Importer
>              Labels: Priority-Medium, Type-Enhancement
>         Attachments: serf-1.3.7-pkcs11.patch
>
>
> it would be nice if serf would provide a hook to configure cryptography 
> modules for reading ssl client certificates of smartcards, the same as web 
> browsers do.
> e.g. in mozilla firefox there is such a possibility in preferences - 
> advanced - cryptography modules. e.g. in windows you may add a pkcs11 dll 
> that way which then shows up when you list your certificates.
> some references migt be ssen on
> http://www.mail-archive.com/mozilla-crypto@mozilla.org/.
> Original issue reported by *rupert.thurner*



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message