| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This section copes with hardware token support in GnuTLS using PKCS #11 [PKCS11]. PKCS #11 is plugin API allowing applications to access cryptographic operations on a token, as well as to objects residing on the token. A token can be a real hardware token such as a smart card and a trusted platform module (TPM), or it can be a software component such as Gnome Keyring. The objects residing on such token can be certificates, public keys, private keys or even plain data or secret keys. Of those certificates and public/private key pairs can be used with GnuTLS. Its main advantage is that it allows operations on private key objects such as decryption and signing without exposing the key.
A PKCS #11 module to access smart cards is provided by the Opensc(9) project, and a module to access the TPM chip on a PC is available from the Trousers(10) project.
Moreover PKCS #11 can be (ab)used to allow all applications in the same operating system to access shared cryptographic keys and certificates in a uniform way, as in fig:pkcs11-vision. That way applications could load their trusted certificate list, as well as user certificates from a common PKCS #11 module. Such a provider exists in the Gnome system, being the Gnome Keyring.
Figure 6.1: PKCS #11 module usage.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated by nmav on November 25, 2011 using texi2html 1.82.