Full_Name: Silvan Marco Fin Version: OS: Ubuntu Linux 10.04 URL: Submission from: (NULL) (217.146.132.69) Support for PKCS #11 devices in TLS via MozNSS in OpenLDAP currently lacks the possibility to "ask" for a PIN via callback. The methods supplied in tls_m.c are reading a PIN from a file or alternativly reading a PIN from STDIN. To add the needed flexibility to the MozNSS part, an additional callback argument to the init function or alternatively an additional set function for the callback would be needed. http://www.mozilla.org/projects/security/pki/nss/ref/ssl/pkfnc.html#1023128 provides the signature for the callback function. Since GnuTLS and OpenSSL provide PKCS #11 support by themselves in some way, I propose to add an additional set function to OpenLDAPs public TLS API to register a callback with the corresponding security library.
silvan@kernelconcepts.de wrote: > Full_Name: Silvan Marco Fin > Version: > OS: Ubuntu Linux 10.04 > URL: > Submission from: (NULL) (217.146.132.69) > > > Support for PKCS #11 devices in TLS via MozNSS in OpenLDAP currently lacks the > possibility to "ask" for a PIN via callback. The methods supplied in tls_m.c are > reading a PIN from a file or alternativly reading a PIN from STDIN. > > To add the needed flexibility to the MozNSS part, an additional callback > argument to the init function or alternatively an additional set function for > the callback would be needed. > > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/pkfnc.html#1023128 > > provides the signature for the callback function. > > Since GnuTLS and OpenSSL provide PKCS #11 support by themselves in some way, I > propose to add an additional set function to OpenLDAPs public TLS API to > register a callback with the corresponding security library. > Probably a good idea. Feel free to submit a patch for review. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
moved from Incoming to Software Enhancements
moznss support is deprecated.