Hello, I am interesting in seeing subversion work with TLS/SSL smartcard based client certificate.
Since subversion is neon based, I think this is a good starting point :) I am working on pkcs11-helper library that was integrated into OpenVPN, OpenSSH (soon), QCA [KDE 4], gnupg-pkcs11-scd. For neon, the relevant part is OpenSSL interface that iteract with PKCS#11 based smartcards. It will not work in GNUTLS mode. pkcs11-helper source can be found at: http://alon.barlev.googlepages.com/pkcs11-helper-1.02.tar.bz2 pkcs11-helper API documentation can be found at: http://alon.barlev.googlepages.com/pkcs11-helper-doc-1.02.tar.bz2 This library will soon be available via OpenSC project as standalone library. It should be quite simple to integrate this into neon, but I am afraid that some assumptions taken by neon interface are incorrect when working with smartcards. Smartcards are dynamic, they can be insert/removed and applications should not cache the user PIN (You use smartcard since you want more security... :) ). So if you open TLS session, and remove/insert your card, when key-renegotiation time arrives, the user should be prompted for PIN (passphrase). Also if you remove token and key-renegotiation time arrives, the user should be prompted to insert his card. Selecting the right key is based on an a serialized id, so a new method can be added, something like: ne_ssl_client_cert *ne_ssl_clicert_read_by_type(const char *type, const char *value); If type is "pkcs12" it will read a file, if type is "pkcs11" it will use key on a smartcard. So basically two callbacks need to be added to neon interface: - token prompt callback - called when device is unavailable. - passphrase prompt callback - called when access to private data need passphrase. Can also be used for pkcs12 files. And new ne_ssl_clicert_read* need to be added, to read key identity. Please tell me if you wish to proceed. Best Regards, Alon Bar-Lev. _______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
