Issue 6724 - Feature request: support for PKCS11 pin input callback in public TLS api
Summary: Feature request: support for PKCS11 pin input callback in public TLS api
Status: VERIFIED WONTFIX
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-11-23 15:55 UTC by silvan@kernelconcepts.de
Modified: 2020-03-19 22:13 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description silvan@kernelconcepts.de 2010-11-23 15:55:44 UTC
Full_Name: Silvan Marco Fin
Version: 
OS: Ubuntu Linux 10.04
URL: 
Submission from: (NULL) (217.146.132.69)


Support for PKCS #11 devices in TLS via MozNSS in OpenLDAP currently lacks the
possibility to "ask" for a PIN via callback. The methods supplied in tls_m.c are
reading a PIN from a file or alternativly reading a PIN from STDIN.

To add the needed flexibility to the MozNSS part, an additional callback
argument to the init function or alternatively an additional set function for
the callback would be needed.

http://www.mozilla.org/projects/security/pki/nss/ref/ssl/pkfnc.html#1023128

provides the signature for the callback function.

Since GnuTLS and OpenSSL provide PKCS #11 support by themselves in some way, I
propose to add an additional set function to OpenLDAPs public TLS API to
register a callback with the corresponding security library.
Comment 1 Howard Chu 2010-11-26 13:10:41 UTC
silvan@kernelconcepts.de wrote:
> Full_Name: Silvan Marco Fin
> Version:
> OS: Ubuntu Linux 10.04
> URL:
> Submission from: (NULL) (217.146.132.69)
>
>
> Support for PKCS #11 devices in TLS via MozNSS in OpenLDAP currently lacks the
> possibility to "ask" for a PIN via callback. The methods supplied in tls_m.c are
> reading a PIN from a file or alternativly reading a PIN from STDIN.
>
> To add the needed flexibility to the MozNSS part, an additional callback
> argument to the init function or alternatively an additional set function for
> the callback would be needed.
>
> http://www.mozilla.org/projects/security/pki/nss/ref/ssl/pkfnc.html#1023128
>
> provides the signature for the callback function.
>
> Since GnuTLS and OpenSSL provide PKCS #11 support by themselves in some way, I
> propose to add an additional set function to OpenLDAPs public TLS API to
> register a callback with the corresponding security library.
>
Probably a good idea. Feel free to submit a patch for review.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 2 Howard Chu 2011-02-28 03:00:57 UTC
moved from Incoming to Software Enhancements
Comment 3 Quanah Gibson-Mount 2020-03-19 22:13:10 UTC
moznss support is deprecated.