On 12.12.2001 11:12:35 Vadim Fedukovich wrote:
>On Wed, 12 Dec 2001, Alexander Kuit wrote:
>
>>
>> >> I'm using the engine version to let the client do rsa private encryption
>> >> by a smartcard. This means of course that the private key is hidden
>> >> inside the card. However, during debugging SSL_connect() I
>> >> discovered that a client certificate is only sent to the server if
>> >> a private key is set (e.g. by SSL_CTX_use_PrivateKey).
>> >>
>> >> How is this supposed to work? At the moment the only way
>> >> to avoid handshake error is to give ssl a dummy private key.
>> >> Does anybody know a proper way?
>> >
>> >look for ENGINE_load_private_key(...) in engine.h.
>>
>> As far as I understand this function, it requests the private key from the
>> engine. Unfortunately (but not surprisingly), the private key is inside
>> the smartcard and cannot be read (only selected for cryptographic
>> operations). So how can a client perform a successful handshake,
>> including sending its certificate, without providing a private key?
>> This is crucial for our security requirements, so any help would
>> be very appreciated.
>
>Short answer is your card should be capable of doing "MD5+SHA1" type
>of signature and this function should be available as "rsa_sign"
>member of ENGINE structure. RSA_FLAG_SIGN_VER should be set to route
>signing operation to the card. This signing will be requested while
>ssl3_send_client_verify().
The problem occurs before ssl3_send_client_verify(), in ssl3_send_client_certificate().
The existence of a private key is checked there:
if ((s->cert == NULL) ||
(s->cert->key->x509 == NULL) ||
(s->cert->key->privatekey == NULL))
There seems to be no way around that, which means that I have to provide
a private key, even if I don't have one (it's in the card).
I now believe I understand that's what ENGINE_load_private_key() is for
(please correct me if I'm still wrong). If I'm right with that, then how
do I generate a "dummy" private key, without having to fill in the bits
of the rsa structure myself ?
Any idea is very welcome.
Alex.
>Could I ask what are the cards? Is it hard for you to do it?
The card is one of my employer's, ORGA Kartensysteme GmbH,
with the MICARDO operating system (http://www.orga.com)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
