[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issues compiling auto_hi classes (and others issues)
Yes. That seems like the best way to go to get the functionality you want
using the current CML and SRL.
> I just want to make sure that everything is ok concerning my "NEW"
> understanding of SFL - CML - SRL.
> Here is some definitions:
> MY_APP: my application
> SFL: the SFL Lib
> CML: the CML Lib
> SRL: the SRL Lib
> MY_CALLBACK: my custom CallBack Function
> MY_CUSTOM_X509_STORE: my own store implemented with it's own API
> Here is the order of processing steps:
> I- MY_APP calls CML to search for a specific Cert.
> I.1- CML calls MY_CALLBACK to search for the specific Cert.
> I.2- MY_CALLBACK calls SRL to search internally for the
> specific Cert.
> I.2.1- SRL return to my callback with NO_CERT_FOUND (kind of)
> I.3- MY_CALLBACK calls MY_CUSTOM_X509_STORE to search for the Cert.
> I.3.1- MY_CUSTOM_X509_STORE returns CERT_FOUND (with
> the Cert).
> I.4- MY_CALLBACK returns to CML the Cert found.
> I.5- CML returns to MY_APP the Cert found.
> II- MY_APP calls SFL with the Cert found.
> Does it looks like the way to proceed? So basically, it is
> MY_CALLBACK that
> will call internally SRL and then MY_CUSTOM_X509_STORE in
> order to achieve
> what I want...
> -----Original Message-----
> From: owner-imc-sfl@xxxxxxxxxxxx [mailto:owner-imc-sfl@xxxxxxxxxxxx]On
> Behalf Of Nicholas, Richard
> Sent: 19 mars, 2001 13:31
> To: 'Simon Blanchet'
> Cc: imc-sfl@xxxxxxx
> Subject: RE: Issues compiling auto_hi classes (and others issues)
> I'll leave question #1 for someone else, and try to answer #2.
> > (Question #2)
> > From my understanding of SFL - CML - SRL now it looks like
> > CML (v1.9) is
> > only used to provide Cert Path Validation and High Level
> > access to "the real
> > implementation of a cert store". The Storage is handled by
> > SRL. I got some
> > questions concerning CML vs SRL:
> > 2.1 Is there a way to use Crypto++ (instead of RSA BSAFE) for
> > cryptographic
> > function needed by CML for path processing? How?
> The CML has two cryptographic interfaces, an internal one to make DSA,
> SHA-1, RSA, MDx calls directly for signature verification,
> and the SFL CTIL
> interface. If you want to use the CTIL interface, simply
> provide a pointer
> to a valid CSMIME object during the call to
> CM_CreateSessionExt(). (CSMIME
> is sort of a container for CTIL instances.)
> > 2.2 Is there a way to use SFL with CML (for path validation
> > processing and
> > high level access to storage) with SRL (for storage only) and
> > finally with a
> > custom-made CallBack_Function (only for certificate
> > retrieval).
> Not with the current version of the SFL, which doesn't use
> the CML at all.
> The next version (v2.0, I believe) will support some level of
> CML & SRL
> integration. Exactly how tightly they will be integrated is TBD.
> > To be more
> > precise: Let's say that someone want to use SRL to store the
> > certificates
> > but he don't want to use the default retrieval using a
> > LDAP_Client provided
> > library. What he want to do is more:
> > I- SFL needs someone's certificate to encrypt
> > II- SFL calls CML to ask for certificate
> > III- CML calls SRL to ask for certificate
> > IV- SRL don't find the certificate asked for...
> > V- CML (or SRL at this point?) use the "Custom_Made" CallBack
> > Function to
> > retrieve the certificate
> > At step V let's just say that the certificate is not found
> > locally nor it is
> > available to a LDAP directory. The certificate can be found
> > at another
> > place using a Custom_Made function... I hope you got it.
> > The question is:
> > Is it feasible? How?
> > I was reading in CML API doc (v1.9) that there are 3
> > different functions
> > that can be provided to CM_CreateSessionExt()... I have kind
> > of a idea
> > about how to do it but I'm really not sure if it will work
> > (or if CML was
> > designed for this specific case mentionned above).
> As mentioned above, the current SFL does not call the CML. I
> don't know if
> the specific scenario you describe will be implemented in SFL
> v2.0 or not
> (i.e., SFL calling CML to get a recipient's encryption
> certificate.) I
> suspect the finding of the correct recipient's certificate
> for outgoing
> messages will likely still be an application responsibility.
> I don't think the processing steps you listed above (I - V)
> would be the way
> to go in any case. The CML architecture already supports app-provided
> callback functions for requesting objects (certs & CRLs). (The CML
> architecture was designed this way so that the SRL can be eliminated
> altogether.) I'd suggest you simply implement those callback
> functions to
> call the SRL directly first and then if the cert or CRL is
> not found there,
> then the function can call your app-specific retrieval/search
> Hope that helps.
> - Rich
> Richard E. Nicholas
> Principal Secure Systems Engineer
> Getronics Government Solutions, LLC
> (301) 939-2722
> > |=========================================
> > | Simon Blanchet
> > | Software Designer
> > |
> > | Email: sblanche@xxxxxxxxxx
> > |=========================================