support pcs11 / wincapi to get ssl client certificates from hardware security modules (smartcards)

[GoogleCodeExporter]

it would be nice if serf would provide a hook to configure cryptography 
modules for reading ssl client certificates of smartcards, the same as web 
browsers do.

e.g. in mozilla firefox there is such a possibility in preferences - 
advanced - cryptography modules. e.g. in windows you may add a pkcs11 dll 
that way which then shows up when you list your certificates.

some references migt be ssen on
http://www.mail-archive.com/mozilla-crypto@mozilla.org/.

Original issue reported on code.google.com by rupert.t...@gmail.com on 9 Sep 2007 at 1:29

[GoogleCodeExporter]

related to this is issue8.

Original comment by rupert.t...@gmail.com on 9 Sep 2007 at 1:29

[GoogleCodeExporter]

agreed.  this is an important feature, esp for govt adaptation

Original comment by fastapri...@gmail.com on 24 Jan 2008 at 10:56

[GoogleCodeExporter]

Link to a discussion concerning PKCS11 in serf:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/6f4e
61b40e8ab573/e475b468b33b12e0

Based on the comments in issue8 you'll need two things:
a. Expand the serf API to include a pkcs11 callback, probably similar as the
'serf_ssl_client_cert_provider_set' function and the 
'serf_ssl_need_client_cert_t'
declaration.

b. Implement pkcs11 based on the OpenSSL pkcs11 plugins, MS CAPI ... in 
Subversion or
other applications using serf.

If you (rupert, fastaprilia) are mainly needing this feature in Subversion, try 
to
find an interested Subversion developer. While I'm interested in this feature 
from a
technical POV, I'm out of spare time.

Original comment by lieven.govaerts@gmail.com on 25 Jan 2008 at 1:02

[GoogleCodeExporter]

lieven,
I think the user community (government and collaboration communities esp) would
benefit.  Password management is a nightmare in large enterprise.  I think the
limitation is bigger than svn, although my selfish immediate issue is there. 

In my job, we have cases where the cert is stored in a hardware crypto module 
(FIPS
compliance or requirement from agency) and the actor is another service or 
module. 

As for b), we've done a bit of work with the various platform libs and options,
saving some research time... My colleague can elaborate.

I feel the pain on the spare time.  Unfortunately I haven't written C code in 
about
10 years or else I'd pitch in.

Original comment by fastapri...@gmail.com on 25 Jan 2008 at 4:34

[GoogleCodeExporter]

As fastaprilia stated, we've done some research on the Open Source communities
implementation of a pkcs11 module - specifically in the realm of smart card 
logon in
linux. The MUSCLE project has championed the development efforts of the 
necessary
modules and API's used for such and is a great source of information.

Though not as developed, the OS community has also investigated the integration 
of
the NSS Crypto Libraries into the OS solution for obvious functional advantages 
-
namely the ability to implement OCSP into the mix.

Original comment by utex1...@gmail.com on 25 Jan 2008 at 4:54

[GoogleCodeExporter]

Are there any news about this issue, any already workig implementations with 
smartcards and pkcs11 support?

Original comment by Christop...@gmail.com on 20 Nov 2009 at 12:37

[GoogleCodeExporter]

It's still on my TODO list, but I'm currently working on another serf feature. 
I have plenty 
of time for serf in February-March next year, so if this is at the top of my 
list by then I'll 
have a go :). 

I could use some help in getting some working smartcards for the development; 
the only 
smartcard I have (my Belgian EID) was blocked during testing of svn+neon+pkcs11.

Original comment by lieven.govaerts@gmail.com on 12 Dec 2009 at 9:38

[GoogleCodeExporter]

Hello,
Just realized that serf is working in kerberos configuration better than neon 
which does not work without apparent reason.

So waiting to subversion 1.7 to switch all my users.

For this issue I can help if you like, I developed the pkcs11-helper[1] library 
which is used in some open source project for abstraction of PKCS#11 card 
access.

It is very easy to integrate it with OpenSSL proper application.

As far as I can see after initialization, it probably need change in one place: 
ssl_need_client_cert.

In the past I worked with neon[2] and even [3] but then maintainer feel the 
need to implement his own implementation.

Thoughts?

[1] https://www.opensc-project.org/opensc/wiki/pkcs11-helper
[2] http://www.mail-archive.com/neon@webdav.org/msg00315.html
[3] http://lists.gnu.org/archive/html/gnutls-devel/2010-05/msg00013.html

Original comment by alon.barlev@gmail.com on 5 Oct 2011 at 7:26

[GoogleCodeExporter]

Hello,

Is there any progress on this? AFAIK TortoiseSVN before 1.8 (svn 1.8) was 
handling smart cards without problems when using Neon. Now when Subversion 
removed Neon in 1.8 and Serf is the only option this gets even more important.

Original comment by grzegorz...@gmail.com on 19 Jun 2013 at 8:23

[GoogleCodeExporter]

Hi.

I have been discussing the impact of not having this feature directly in serf 
for Subversion on the svn devs mailing list, see [1].

I was under the impression from Stefan Küng's response in [2] that TSVN based 
on svn 1.8 with serf will still support smart cards on Windows. Not as the 
default build - but seems doable to get it working. I suggest you check out the 
TortoiseSVN mailing lists for more info.

This being said, serf has been making some progress on this issue on the 
multiple-ssl-impls branch, where I've added an abstraction of the ssl module to 
switch SSL/TLS implementations, and implemented a Mac OS X specific SSL/TLS 
module. As this module integrates with Keychain for both server certificates 
and client identities, it automatically enables the use of smart cards via 
Keychain services. On Mac OS X only.

The multiple-ssl-impls branch is not yet merged to trunk and parts of the code 
are still being debated, so this is not for the immediate future. It surely is 
a different approach than what has been suggested earlier in this thread 
(equally valid options btw).

It does create the opportunity to implement a similar module using Microsoft's 
API's for the Windows platform. This is going to take some time to implement 
though - I guess ~3 workweeks based on my work on the Mac OS X implementation 
(all in my spare time, not doing that again). Motivated volunteers are welcome. 
:-)

Lieven

[1] http://svn.haxx.se/dev/archive-2013-06/0069.shtml
[2] http://svn.haxx.se/dev/archive-2013-06/0081.shtml

Original comment by lieven.govaerts@gmail.com on 19 Jun 2013 at 8:40

• Changed state: Accepted

[GoogleCodeExporter]

Enhancement instead of issue.

Original comment by lieven.govaerts@gmail.com on 19 Jun 2013 at 8:41

• Added labels: Type-Enhancement
• Removed labels: Type-Defect