Alexander Kuit wrote: > > On 13.12.2001 10:49:31 Richard Levitte - VMS Whacker wrote: > > >Assuming you have reached a point where you have a RSA that contains > >the public data in a form that OpenSSL understands, and a reference > >(completely chosen by you) to the private data on the card in ex_data, > >you can now do the following (assuming res is of the type EVP_PKEY *): > > > > res = EVP_PKEY_new(); > > EVP_PKEY_assign_RSA(res, rsatmp); > > > >This is exactly how it's done in crypto/engine/hw_ncipher.c, why don't > >you take a look at that file? > > Hi Richard, > > I had a look at that code, but I just don't like copying things without knowing > what I'm doing ;-)
That is fine... > What do you mean by "you have a RSA that contains the public data" ? > I really don't understand why I need a EVP_PKEY with a pointer to a > RSA struct. The DER encoded X.509 certificate is read from the card. In the SSL handshake (if you do client authentication), you havte to provide the certificate and some data signed with the private key. If you provide a client key, that can't sign data, the SSL handshake will fail (if client auth. is required) > I don't have and need access to the private key in the card, I only > have to make sure the right key is used during the SSL handshake, > but that's easy also without a dummy/proxy/shadow (whatever one > could call it) EVP_PKEY. the EVP_PKEY you provide is some handle to you internal data. It allowes the SSL function to sign the required data. > If I have to provide a EVP_PKEY (e.g. by ENGINE_load_private_key), > with what information do I fill it? What data do I put into the RSA struct? > (I don't have any private data and I guess my own public key is not used > during the handshake. Besides, it's already in the certificate) Your RSA struct must contain the following: 1. the public key. 2. the flags must contain RSA_METHOD_FLAG_NO_CHECK. 3. the pointer to the crypto engine that processes crypto operatis with the key. 4. some data thet the ENGINE uses to access the private key on the card. (e.g. PKCS11: library function table/ session handle/ key handle) (Something missing ?) > I'm sorry I keep going on with this, but it's still not satisfying. I think you got the client authentication in the SSL handshake wrong. You have to use the private key, the certificate is something the server needs if you really have access to it. Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
smime.p7s
Description: S/MIME Cryptographic Signature
