Merging GTlsDatabase support



I've completed much of the work on GTlsDatabase. I left this work idle
for quite a while, sorry bout that.

But the good news is that I've used glib-networking with the gnutls
backend to connect to a https website with a key+certificate stored on a
smart card, so a lot of the pieces are in place and ready to be used.

The work is in branches available here:

http://cgit.collabora.com/git/user/stefw/glib.git/log/?h=tls-database

http://cgit.collabora.com/git/user/stefw/glib-networking.git/log/?h=tls-database

http://cgit.collabora.com/git/user/stefw/glib-networking.git/log/?h=tls-pkcs11

I'd like to work with you on merging this into glib. Since it's a quite
a bit of code, I'd like to break it up for review. That's why I'm
writing this email.

In theory this could be done in a few stages:

 1. Review and merge the glib GTlsDatabase and related stuff, along
    with the basic 'file' implementation in glib-networking.

 2. Merge the PKCS#11 based trust assertion stuff. This allows lookup
    of certificate authorities and pinned certificates in the database.

 3. Merge the PKCS#11 client certificate stuff. This allows use of keys
    on smart cards or in soft token storage.

Stage 3 depends on new unreleased versions of gnutls, although I'll be
working with them to try and backport things to gnutls 2.12.x.

Note: I've tried to consider how these interfaces would be implemented
with NSS while developing them, and I believe the design is generic
enough not to lock out an NSS (or even OpenSSL) backend.

There's several other things that might need work to make the TLS stuff
useful for client certificates, but because these branches have already
gotten big enough I'd like to get some of them merged before working on
further code.

If you think this is a good plan, then I'll open bugs for each of these
and squash the various relevant commits into reviewable bits.

Thanks in advance,

Stef


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]