Hello,
you were right. The only way to get the PKCS#11 access working, was to patch the tls_g.c file using gnutls_certificate_set_x509_key_file instead of gnutls_certificate_set_x509_key. The former function also handles PKCS#11 URIs. So the tlsg_get_file function is obsolete.
After applying the patch the smart card access was successful. The way to get this access working was a working p11-kit configuration and the configuration of the PKCS#11 URIs for TLS_CERT and TLS_KEY (here you can use the GNUTLS program p11tool to find out the PKCS#11 URIs). If you append the pinfile attribute to the end of the URI (provided the pin file callback patch has been applied - http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=c1eddcfe663b... ) you don't have to type in the PIN anymore (here it is necessary that the pin file has no end of line character).
Greetings, Stefan Scheidewig
Am 24.06.2013 19:47, schrieb Howard Chu:
Michael Ströder wrote:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.
If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss (--with-tls=moznss). Never tried that myself though.
Or submit appropriate GnuTLS or OpenSSL patches to add the feature.