Hello Patrick,
Thanks for help ...
-----------------
My Background:
Working with a server application that has a programming language (ADVPL),
in the server I am responsible for some protocols such as http/https -
server/client :) and now I am having to use an HSM.
Currently supports only the format PEM and the files are saved to disk, with
the passphrase in the server INI :( .Ex:
[HTTPS]
Enable=1
Port=443
Path=c:\webpath
Instances=20,200
[SSLConfigure]
SSL2=0
SSL3=1
TLS1=1
CertificateClient=c:\certs\xxx.pem
KeyClient=C:\certs\xxx.pem
PassPhrase=xxxx
--------------------
I already use OpenSSL in my application server, now I will have to bear a
hardware solution using SafeNet.
Yes, i have a ProtectToolkit C SDK (linux32,win32), with examples that
explain how to handling:
- Slots
- PIN
- Private Keys and Certificates
- Sign and Verify.
But I want an example of a requisition https client, using the keys,
certificate and password contained in hardware (emulator).
How can I use the s_client for this ? it would help very much ...
instead this way: openssl s_client -connect host:443 -cert xxx.pem -key
xxx.pem -pass xxx -CApath xxx.pem -ssl3
Thanks in Advanced
Ricardo
ps: Sorry for English
On Wed, Sep 17, 2008 at 3:14 PM, Patrick Patterson <
[EMAIL PROTECTED]> wrote:
> Hi Ricardo:
>
> On September 17, 2008 12:52:23 pm Ricardo Garcia Reis wrote:
> > Hey fellows,
> >
> > I want your help, to implement an integration with SafeNet HSM Hardware.
> I
> > know OpenSSL, but never used with PKCS#11.
> >
> The Engine interface is your friend :) And WHICH Safenet HSM? Have you
> taken a
> look at their SDK? They have several good examples in the OpenSSL Appendix
> there that probably do what you want. The other thing that you will need
> are
> their patches to OpenSSL to make the engine interface able to talk to the
> HSM, or it will never work.
>
> > I have a HTTPS server and wonders how do I inform the certificate,
> > privatekey and passphrase for the HTTPS handshake using PKCS#11.
> >
> > How to change my functions load_key and load_cert to use PKCS#11 ?? Any
> > Good Sample ?? I Try OPENSC samples, but ..
> >
>
> Did you write this server yourself? If so, then you really should talk to
> Safenet and get the SDK if you don't already have it, and probably a
> development support contract. LibCrystoki and OpenSSL are a bit tricky in
> how
> they work together :)
>
> Other than that, to get the command line tools working, it should be a
> matter
> of editing your openssl.cnf file to have something like (if you have a CA3,
> or equivalent - check your documentation):
>
> [ openssl_init ]
> engines = engine_section
> oid_section = new_oids
>
> [ engine_section ]
> lunahsm = luna_hsm
>
> [ smartcard_section ]
> engine_id = LunaCA3
> init = 0
>
> and your /etc/Chrystoki.conf file to have a section that looks like:
>
> EngineLunaCA3 = {
> LibPath = /usr/lunapcm/lib/libCryptoki2.so;
> EngineInit=1:10:11;
> }
>
> And then
>
> # login to the HSM
> sautil -o -s 1 -i 10:11
>
> # do something with s_client
> openssl s_client -connect remoteserver:443 -engine LunaCA3 -key
> sautil-generated.key -cert \ client-cert.pem
>
> # log out of the HSM
> sautil -c -s 1 -i 10:11
>
> But, as I said, it's probably best to talk to SafeNet directly, since the
> entire process of getting the right ".key" file is a bit tricky.
>
> Have fun.
>
> --
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.
> http://www.carillon.ca
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
