Re: Issue 27 in serf: support pcs11 / wincapi to get ssl client certificates from hardware security modules (smartcards)

[se...@googlecode.com]

Comment #6 on issue 27 by Christoph.Bernhofer: support pcs11 / wincapi to
get ssl client certificates from hardware security modules (smartcards)
http://code.google.com/p/serf/issues/detail?id=27

Are there any news about this issue, any already workig implementations with
smartcards and pkcs11 support?

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

[se...@googlecode.com]

Comment #7 on issue 27 by lieven.govaerts: support pcs11 / wincapi to get

ssl client certificates from hardware security modules (smartcards)
http://code.google.com/p/serf/issues/detail?id=27

It's still on my TODO list, but I'm currently working on another serf
feature. I have plenty
of time for serf in February-March next year, so if this is at the top of
my list by then I'll
have a go :).

I could use some help in getting some working smartcards for the
development; the only
smartcard I have (my Belgian EID) was blocked during testing of
svn+neon+pkcs11.

[se...@googlecode.com]

Comment #8 on issue 27 by alon.bar...@gmail.com: support pcs11 / wincapi to

get ssl client certificates from hardware security modules (smartcards)
http://code.google.com/p/serf/issues/detail?id=27

Hello,
Just realized that serf is working in kerberos configuration better than
neon which does not work without apparent reason.

So waiting to subversion 1.7 to switch all my users.

For this issue I can help if you like, I developed the pkcs11-helper[1]
library which is used in some open source project for abstraction of
PKCS#11 card access.

It is very easy to integrate it with OpenSSL proper application.

As far as I can see after initialization, it probably need change in one
place: ssl_need_client_cert.

In the past I worked with neon[2] and even [3] but then maintainer feel the
need to implement his own implementation.

Thoughts?

[1] https://www.opensc-project.org/opensc/wiki/pkcs11-helper
[2] http://www.mail-archive.com/ne...@webdav.org/msg00315.html
[3] http://lists.gnu.org/archive/html/gnutls-devel/2010-05/msg00013.html

[se...@googlecode.com]

Comment #9 on issue 27 by grzegorz...@gmail.com: support pcs11 / wincapi to

get ssl client certificates from hardware security modules (smartcards)
http://code.google.com/p/serf/issues/detail?id=27

Hello,

Is there any progress on this? AFAIK TortoiseSVN before 1.8 (svn 1.8) was
handling smart cards without problems when using Neon. Now when Subversion
removed Neon in 1.8 and Serf is the only option this gets even more
important.

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[se...@googlecode.com]

Updates:
Status: Accepted

Comment #10 on issue 27 by lieven....@gmail.com: support pcs11 /

wincapi to get ssl client certificates from hardware security modules
(smartcards)
http://code.google.com/p/serf/issues/detail?id=27

Hi.


I have been discussing the impact of not having this feature directly in
serf for Subversion on the svn devs mailing list, see [1].

I was under the impression from Stefan Küng's response in [2] that TSVN
based on svn 1.8 with serf will still support smart cards on Windows. Not
as the default build - but seems doable to get it working. I suggest you
check out the TortoiseSVN mailing lists for more info.

This being said, serf has been making some progress on this issue on the
multiple-ssl-impls branch, where I've added an abstraction of the ssl
module to switch SSL/TLS implementations, and implemented a Mac OS X
specific SSL/TLS module. As this module integrates with Keychain for both
server certificates and client identities, it automatically enables the use
of smart cards via Keychain services. On Mac OS X only.

The multiple-ssl-impls branch is not yet merged to trunk and parts of the
code are still being debated, so this is not for the immediate future. It
surely is a different approach than what has been suggested earlier in this
thread (equally valid options btw).

It does create the opportunity to implement a similar module using
Microsoft's API's for the Windows platform. This is going to take some time
to implement though - I guess ~3 workweeks based on my work on the Mac OS X
implementation (all in my spare time, not doing that again). Motivated
volunteers are welcome. :-)

Lieven

[1] http://svn.haxx.se/dev/archive-2013-06/0069.shtml
[2] http://svn.haxx.se/dev/archive-2013-06/0081.shtml

[se...@googlecode.com]

Updates:
Labels: -Type-Defect Type-Enhancement

Comment #11 on issue 27 by lieven....@gmail.com: support pcs11 /

wincapi to get ssl client certificates from hardware security modules
(smartcards)
http://code.google.com/p/serf/issues/detail?id=27

Enhancement instead of issue.

[se...@googlecode.com]

Comment #12 on issue 27 by b...@qqmail.nl: support pcs11 / wincapi to get

ssl client certificates from hardware security modules (smartcards)

https://code.google.com/p/serf/issues/detail?id=27

The current status is that you can enable the feature for at least
Subversion's usage on Windows by enabling the optional CAPI support in
OpenSSL, and then applying some patches to enable more modern security
cyphers.

At least the TortoiseSVN & SharpSVN/SlikSVN are delivered with this feature
enabled.