On Wed, 2017-07-26 at 11:16 +0200, David Sommerseth wrote: > On 26/07/17 10:02, David Woodhouse wrote: > [...snip...] > > > > > > Well yes, that's true. But it's more likely that I'll finally get round > > to porting OpenVPN to something other than pkcs11-helper before that > > happens, unfortunately. > TL;DR: If you or anyone else have a chance to look into this, we will > appreciate that effort enormously! Just grab us on ML or the > #openvpn-devel IRC channel (FreeNode) and we can discuss it further. > > > Steffan and I discussed what is needed to be done to port p11-kit awhile > ago; we're also not too happy about the pkcs11-helper dependency. If we > had only had support for one SSL library, it probably would have been > somewhat simpler. But as we strive hard to have both mbed TLS and > OpenSSL builds to be fairly feature comparable (from an OpenVPN > perspective), this gets a bit more challenging. > > IIRC, one of the more challenging parts here is to get p11-kit to play > nicely along with mbed TLS. We are concerned that there are some need > to also adopt mbed TLS to support p11-kit. However, I quite recently > heard some rumours that mbed TLS provides some API for offloading sign > and decrypt operations outside of the library; that needs to be > investigated further and to consider if this is a better way for the > integration.
Yeah... in my Copious Spare Time I have also been looking at integrating PKCS#11 support as a first-class citizen into OpenSSL. You really ought to be able to just pass a PKCS#11 URI instead of a filename into fairly much any API and have it Just Work. But implementing the basic crypto primitives in libp11-kit might be interesting, which makes it easier to wrap them for various crypto libraries.
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel