Undocumented: ssl-pkcs11-provider - What is a «Security Provider»?
44 views
Skip to first unread message
Marc Wäckerlin
Aug 22, 2012, 3:27:14 AM8/22/12
to us...@subversion.apache.org
Hi
I got a proprietary PKCS#11 library (for Post SuisseID smartcard) in
/usr/lib/libcvP11.so.
There is a configuration option «ssl-pkcs11-provider» in ~/.subversion/servers.
But it is absolutely undocumented what this option is, even google doesn't find
anything useful. The only documentation is: «Name of PKCS#11 provider to use».
How is the «Name of PKCS#11 provider» defined? It is *not* the name of the
PKCS#11 library, so what is it?
Everytthing I tried results in «unable to load PKCS#11 provider», e.g.:
user@host:~/svn/project$ LANG= svn up
svn: Invalid config: unable to load PKCS#11 provider '/usr/lib/libcvP11.so'
user@host:~/svn/project$ ls -l /usr/lib/libcvP11.so
-rwxr-xr-x 1 root root 5279688 Jul 6 14:30 /usr/lib/libcvP11.so
So:
- What is the missing link?
- How to get a PKCS#11 /usr/lib/libcvP11.so library into svn?
- Could you please add some understandable documentation?
Thank you
Regards
Marc
I got a proprietary PKCS#11 library (for Post SuisseID smartcard) in
/usr/lib/libcvP11.so.
There is a configuration option «ssl-pkcs11-provider» in ~/.subversion/servers.
But it is absolutely undocumented what this option is, even google doesn't find
anything useful. The only documentation is: «Name of PKCS#11 provider to use».
How is the «Name of PKCS#11 provider» defined? It is *not* the name of the
PKCS#11 library, so what is it?
Everytthing I tried results in «unable to load PKCS#11 provider», e.g.:
user@host:~/svn/project$ LANG= svn up
svn: Invalid config: unable to load PKCS#11 provider '/usr/lib/libcvP11.so'
user@host:~/svn/project$ ls -l /usr/lib/libcvP11.so
-rwxr-xr-x 1 root root 5279688 Jul 6 14:30 /usr/lib/libcvP11.so
So:
- What is the missing link?
- How to get a PKCS#11 /usr/lib/libcvP11.so library into svn?
- Could you please add some understandable documentation?
Thank you
Regards
Marc
Daniel Shahaf
Aug 25, 2012, 12:35:50 PM8/25/12
to Marc Wäckerlin, us...@subversion.apache.org, d...@subversion.apache.org
+= dev@, please drop users@ from replies
Marc W�ckerlin wrote on Wed, Aug 22, 2012 at 09:27:14 +0200:
> Hi
>
> I got a proprietary PKCS#11 library (for Post SuisseID smartcard) in
> /usr/lib/libcvP11.so.
>
> There is a configuration option �ssl-pkcs11-provider� in ~/.subversion/servers.
>
> But it is absolutely undocumented what this option is, even google doesn't find
> anything useful. The only documentation is: �Name of PKCS#11 provider to use�.
>
> How is the �Name of PKCS#11 provider� defined? It is *not* the name of the
> PKCS#11 library, so what is it?
>
If you build svn against neon 0.28 or greater, the value of that option
is passed is passed to ne_ssl_pkcs11_provider_init():
https://svn.apache.org/repos/asf/subversion/branches/1.7.x/subversion/libsvn_ra_neon/session.c
However, current trunk no longer uses the ssl-pkcs11-provider option,
but still generates a config file that documents it. (The option was
originally added in r869495(r29421) by jorton for libsvn_ra_neon.
(Marc: libsvn_ra_neon is no longer supported in trunk/1.8-to-be; only
libsvn_ra_serf will be available for http/https access.))
We should at least update the config file that trunk generates. We
might want to teach libsvn_ra_serf to support that config option (for
compatibility reasons).
Marc W�ckerlin wrote on Wed, Aug 22, 2012 at 09:27:14 +0200:
> Hi
>
> I got a proprietary PKCS#11 library (for Post SuisseID smartcard) in
> /usr/lib/libcvP11.so.
>
> There is a configuration option �ssl-pkcs11-provider� in ~/.subversion/servers.
>
> But it is absolutely undocumented what this option is, even google doesn't find
> anything useful. The only documentation is: �Name of PKCS#11 provider to use�.
>
> How is the �Name of PKCS#11 provider� defined? It is *not* the name of the
> PKCS#11 library, so what is it?
>
is passed is passed to ne_ssl_pkcs11_provider_init():
https://svn.apache.org/repos/asf/subversion/branches/1.7.x/subversion/libsvn_ra_neon/session.c
However, current trunk no longer uses the ssl-pkcs11-provider option,
but still generates a config file that documents it. (The option was
originally added in r869495(r29421) by jorton for libsvn_ra_neon.
(Marc: libsvn_ra_neon is no longer supported in trunk/1.8-to-be; only
libsvn_ra_serf will be available for http/https access.))
We should at least update the config file that trunk generates. We
might want to teach libsvn_ra_serf to support that config option (for
compatibility reasons).
Marc Wäckerlin
Aug 25, 2012, 5:21:15 PM8/25/12
to Daniel Shahaf, d...@subversion.apache.org, us...@subversion.apache.org
Am Samstag, 25. August 2012, 17.35:50 schrieben Sie:
I am asking this as a user.
Sorry, but I don't understand your answer.
I build nothing, I install the packages from the ubuntu repository.
> If you build svn against neon 0.28 or greater, the value of that option
> is passed is passed to ne_ssl_pkcs11_provider_init():
> https://svn.apache.org/repos/asf/subversion/branches/1.7.x/subversion/libsvn
> _ra_neon/session.c
I absolutely do not understand.
You have to specify what at compile time? That's absurd; how should the
package builder know what the users will need? And PKCS#11 libraries are
commonly loaded at runtime using dlopen, so there must surely be a way to
specify a library at runtime?!?
> However, current trunk no longer uses the ssl-pkcs11-provider option,
> but still generates a config file that documents it. (The option was
> originally added in r869495(r29421) by jorton for libsvn_ra_neon.
> (Marc: libsvn_ra_neon is no longer supported in trunk/1.8-to-be; only
> libsvn_ra_serf will be available for http/https access.))
So how is PKCS#11 specified now?
> We should at least update the config file that trunk generates. We
> might want to teach libsvn_ra_serf to support that config option (for
> compatibility reasons).
Again, the question is: How to specify /usr/lib/libcvP11.so (or any other
arbitray library) as PKCS#11 provider?
Does SVN work with PKCS#11 token?
If yes: How? (I mean at runtime.)
Thank you
Regards
> += dev@, please drop users@ from replies
It's not a developper question, it's a usage question.
I am asking this as a user.
Sorry, but I don't understand your answer.
I build nothing, I install the packages from the ubuntu repository.
> If you build svn against neon 0.28 or greater, the value of that option
> is passed is passed to ne_ssl_pkcs11_provider_init():
> https://svn.apache.org/repos/asf/subversion/branches/1.7.x/subversion/libsvn
> _ra_neon/session.c
You have to specify what at compile time? That's absurd; how should the
package builder know what the users will need? And PKCS#11 libraries are
commonly loaded at runtime using dlopen, so there must surely be a way to
specify a library at runtime?!?
> However, current trunk no longer uses the ssl-pkcs11-provider option,
> but still generates a config file that documents it. (The option was
> originally added in r869495(r29421) by jorton for libsvn_ra_neon.
> (Marc: libsvn_ra_neon is no longer supported in trunk/1.8-to-be; only
> libsvn_ra_serf will be available for http/https access.))
> We should at least update the config file that trunk generates. We
> might want to teach libsvn_ra_serf to support that config option (for
> compatibility reasons).
arbitray library) as PKCS#11 provider?
Does SVN work with PKCS#11 token?
If yes: How? (I mean at runtime.)
Thank you
Regards
Lieven Govaerts
Aug 27, 2012, 2:27:40 AM8/27/12
to Daniel Shahaf, Marc Wäckerlin, us...@subversion.apache.org, d...@subversion.apache.org
On Sat, Aug 25, 2012 at 6:35 PM, Daniel Shahaf <d...@daniel.shahaf.name> wrote:
> += dev@, please drop users@ from replies
>
> += dev@, please drop users@ from replies
>
> Marc Wäckerlin wrote on Wed, Aug 22, 2012 at 09:27:14 +0200:
>> Hi
>>
>> I got a proprietary PKCS#11 library (for Post SuisseID smartcard) in
>> /usr/lib/libcvP11.so.
>>
>> There is a configuration option «ssl-pkcs11-provider» in ~/.subversion/servers.
>>
>> But it is absolutely undocumented what this option is, even google doesn't find
>> anything useful. The only documentation is: «Name of PKCS#11 provider to use».
>>
>> How is the «Name of PKCS#11 provider» defined? It is *not* the name of the
>> PKCS#11 library, so what is it?
>>
>
> If you build svn against neon 0.28 or greater, the value of that option
> is passed is passed to ne_ssl_pkcs11_provider_init():
> https://svn.apache.org/repos/asf/subversion/branches/1.7.x/subversion/libsvn_ra_neon/session.c
>
> However, current trunk no longer uses the ssl-pkcs11-provider option,
> but still generates a config file that documents it. (The option was
> originally added in r869495(r29421) by jorton for libsvn_ra_neon.
> (Marc: libsvn_ra_neon is no longer supported in trunk/1.8-to-be; only
> libsvn_ra_serf will be available for http/https access.))
>
> We should at least update the config file that trunk generates. We
> might want to teach libsvn_ra_serf to support that config option (for
> compatibility reasons).
>
This feature is currently missing from serf:
>> Hi
>>
>> I got a proprietary PKCS#11 library (for Post SuisseID smartcard) in
>> /usr/lib/libcvP11.so.
>>
>> There is a configuration option «ssl-pkcs11-provider» in ~/.subversion/servers.
>>
>> But it is absolutely undocumented what this option is, even google doesn't find
>> anything useful. The only documentation is: «Name of PKCS#11 provider to use».
>>
>> How is the «Name of PKCS#11 provider» defined? It is *not* the name of the
>> PKCS#11 library, so what is it?
>>
>
> If you build svn against neon 0.28 or greater, the value of that option
> is passed is passed to ne_ssl_pkcs11_provider_init():
> https://svn.apache.org/repos/asf/subversion/branches/1.7.x/subversion/libsvn_ra_neon/session.c
>
> However, current trunk no longer uses the ssl-pkcs11-provider option,
> but still generates a config file that documents it. (The option was
> originally added in r869495(r29421) by jorton for libsvn_ra_neon.
> (Marc: libsvn_ra_neon is no longer supported in trunk/1.8-to-be; only
> libsvn_ra_serf will be available for http/https access.))
>
> We should at least update the config file that trunk generates. We
> might want to teach libsvn_ra_serf to support that config option (for
> compatibility reasons).
>
https://code.google.com/p/serf/issues/detail?id=27
I have this on my todo list somewhere, but currently working on other
serf-ssl related stuff.
[..]
Lievne
Joe Orton
Aug 30, 2012, 8:47:47 AM8/30/12
to Marc Wäckerlin, us...@subversion.apache.org
On Wed, Aug 22, 2012 at 09:27:14AM +0200, Marc Wäckerlin wrote:
> Hi
>
> I got a proprietary PKCS#11 library (for Post SuisseID smartcard) in
> /usr/lib/libcvP11.so.
>
> There is a configuration option «ssl-pkcs11-provider» in ~/.subversion/servers.
>
> But it is absolutely undocumented what this option is, even google doesn't find
> anything useful. The only documentation is: «Name of PKCS#11 provider to use».
>
> How is the «Name of PKCS#11 provider» defined? It is *not* the name of the
> PKCS#11 library, so what is it?
> Everytthing I tried results in «unable to load PKCS#11 provider», e.g.:
>
> user@host:~/svn/project$ LANG= svn up
> svn: Invalid config: unable to load PKCS#11 provider '/usr/lib/libcvP11.so'
> user@host:~/svn/project$ ls -l /usr/lib/libcvP11.so
> -rwxr-xr-x 1 root root 5279688 Jul 6 14:30 /usr/lib/libcvP11.so
If you have neon built with pakchois support, it will try to load
> Hi
>
> I got a proprietary PKCS#11 library (for Post SuisseID smartcard) in
> /usr/lib/libcvP11.so.
>
> There is a configuration option «ssl-pkcs11-provider» in ~/.subversion/servers.
>
> But it is absolutely undocumented what this option is, even google doesn't find
> anything useful. The only documentation is: «Name of PKCS#11 provider to use».
>
> How is the «Name of PKCS#11 provider» defined? It is *not* the name of the
> PKCS#11 library, so what is it?
> Everytthing I tried results in «unable to load PKCS#11 provider», e.g.:
>
> user@host:~/svn/project$ LANG= svn up
> svn: Invalid config: unable to load PKCS#11 provider '/usr/lib/libcvP11.so'
> user@host:~/svn/project$ ls -l /usr/lib/libcvP11.so
> -rwxr-xr-x 1 root root 5279688 Jul 6 14:30 /usr/lib/libcvP11.so
"libFOO.so" or "FOO.so" for "ssl-pkcs11-provider = FOO", walking a
directory path which is by default /usr/lib/pkcs11 : /usr/lib.
So "ssl-pkcs11-provider = cvP11" should work for that PKCS#11 module.
This code has tested with a few software tokens and some hardware tokens
using OpenSC, but if there are problems with your token let me know.
Regards, Joe
Reply all
Reply to author
Forward
0 new messages