Open GoogleCodeExporter opened 9 years ago
related to this is issue8.
Original comment by rupert.t...@gmail.com
on 9 Sep 2007 at 1:29
agreed. this is an important feature, esp for govt adaptation
Original comment by fastapri...@gmail.com
on 24 Jan 2008 at 10:56
Link to a discussion concerning PKCS11 in serf:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/6f4e
61b40e8ab573/e475b468b33b12e0
Based on the comments in issue8 you'll need two things:
a. Expand the serf API to include a pkcs11 callback, probably similar as the
'serf_ssl_client_cert_provider_set' function and the
'serf_ssl_need_client_cert_t'
declaration.
b. Implement pkcs11 based on the OpenSSL pkcs11 plugins, MS CAPI ... in
Subversion or
other applications using serf.
If you (rupert, fastaprilia) are mainly needing this feature in Subversion, try
to
find an interested Subversion developer. While I'm interested in this feature
from a
technical POV, I'm out of spare time.
Original comment by lieven.govaerts@gmail.com
on 25 Jan 2008 at 1:02
lieven,
I think the user community (government and collaboration communities esp) would
benefit. Password management is a nightmare in large enterprise. I think the
limitation is bigger than svn, although my selfish immediate issue is there.
In my job, we have cases where the cert is stored in a hardware crypto module
(FIPS
compliance or requirement from agency) and the actor is another service or
module.
As for b), we've done a bit of work with the various platform libs and options,
saving some research time... My colleague can elaborate.
I feel the pain on the spare time. Unfortunately I haven't written C code in
about
10 years or else I'd pitch in.
Original comment by fastapri...@gmail.com
on 25 Jan 2008 at 4:34
As fastaprilia stated, we've done some research on the Open Source communities
implementation of a pkcs11 module - specifically in the realm of smart card
logon in
linux. The MUSCLE project has championed the development efforts of the
necessary
modules and API's used for such and is a great source of information.
Though not as developed, the OS community has also investigated the integration
of
the NSS Crypto Libraries into the OS solution for obvious functional advantages
-
namely the ability to implement OCSP into the mix.
Original comment by utex1...@gmail.com
on 25 Jan 2008 at 4:54
Are there any news about this issue, any already workig implementations with
smartcards and pkcs11 support?
Original comment by Christop...@gmail.com
on 20 Nov 2009 at 12:37
It's still on my TODO list, but I'm currently working on another serf feature.
I have plenty
of time for serf in February-March next year, so if this is at the top of my
list by then I'll
have a go :).
I could use some help in getting some working smartcards for the development;
the only
smartcard I have (my Belgian EID) was blocked during testing of svn+neon+pkcs11.
Original comment by lieven.govaerts@gmail.com
on 12 Dec 2009 at 9:38
Hello,
Just realized that serf is working in kerberos configuration better than neon
which does not work without apparent reason.
So waiting to subversion 1.7 to switch all my users.
For this issue I can help if you like, I developed the pkcs11-helper[1] library
which is used in some open source project for abstraction of PKCS#11 card
access.
It is very easy to integrate it with OpenSSL proper application.
As far as I can see after initialization, it probably need change in one place:
ssl_need_client_cert.
In the past I worked with neon[2] and even [3] but then maintainer feel the
need to implement his own implementation.
Thoughts?
[1] https://www.opensc-project.org/opensc/wiki/pkcs11-helper
[2] http://www.mail-archive.com/neon@webdav.org/msg00315.html
[3] http://lists.gnu.org/archive/html/gnutls-devel/2010-05/msg00013.html
Original comment by alon.barlev@gmail.com
on 5 Oct 2011 at 7:26
Hello,
Is there any progress on this? AFAIK TortoiseSVN before 1.8 (svn 1.8) was
handling smart cards without problems when using Neon. Now when Subversion
removed Neon in 1.8 and Serf is the only option this gets even more important.
Original comment by grzegorz...@gmail.com
on 19 Jun 2013 at 8:23
Hi.
I have been discussing the impact of not having this feature directly in serf
for Subversion on the svn devs mailing list, see [1].
I was under the impression from Stefan Küng's response in [2] that TSVN based
on svn 1.8 with serf will still support smart cards on Windows. Not as the
default build - but seems doable to get it working. I suggest you check out the
TortoiseSVN mailing lists for more info.
This being said, serf has been making some progress on this issue on the
multiple-ssl-impls branch, where I've added an abstraction of the ssl module to
switch SSL/TLS implementations, and implemented a Mac OS X specific SSL/TLS
module. As this module integrates with Keychain for both server certificates
and client identities, it automatically enables the use of smart cards via
Keychain services. On Mac OS X only.
The multiple-ssl-impls branch is not yet merged to trunk and parts of the code
are still being debated, so this is not for the immediate future. It surely is
a different approach than what has been suggested earlier in this thread
(equally valid options btw).
It does create the opportunity to implement a similar module using Microsoft's
API's for the Windows platform. This is going to take some time to implement
though - I guess ~3 workweeks based on my work on the Mac OS X implementation
(all in my spare time, not doing that again). Motivated volunteers are welcome.
:-)
Lieven
[1] http://svn.haxx.se/dev/archive-2013-06/0069.shtml
[2] http://svn.haxx.se/dev/archive-2013-06/0081.shtml
Original comment by lieven.govaerts@gmail.com
on 19 Jun 2013 at 8:40
Enhancement instead of issue.
Original comment by lieven.govaerts@gmail.com
on 19 Jun 2013 at 8:41
The current status is that you can enable the feature for at least Subversion's
usage on Windows by enabling the optional CAPI support in OpenSSL, and then
applying some patches to enable more modern security cyphers.
At least the TortoiseSVN & SharpSVN/SlikSVN are delivered with this feature
enabled.
Original comment by b...@qqmail.nl
on 16 Aug 2015 at 11:09
Original issue reported on code.google.com by
rupert.t...@gmail.com
on 9 Sep 2007 at 1:29