On 2009.11.13 at 04:44:02 -0800, Mansour Dagher wrote: > Hi all, > > > if certificates and associated keys are stored on HW (Sun crypto card for > example), is there a way in openssl to specify the card as the location of > these certificates/kets? > > It appears from the methods below, the openSSL only takes filesystem > directory paths and file names as input for certificate/key locations: > > X509_STORE_load_locations() > SSL_CTX_use_certificate_chain_file() > SSL_CTX_use_PrivateKey_file() > > Any suggestions/thought?
There is SSL_CTX_use_PrivateKey which allows you to use private key already loaded into memory as EVP_PKEY structure. There is ENGINE_load_private_key function, which allows to create EVP_PKEY structure engine-specific way. Engine is a module, which handles interaction with some crypto hardware. Really this EVP_PKEY can contain just reference for key stored in the hardware. If engine-initialization code sets up an RSA/DSA/other PKEY method which knows how to hand of crypto operation to the hardware, you can use key stored on the token (and never actually leaves it) for all operations - either PKCS7/CMS/SMIME or SSL/TLS. If you store trusted CA certificates on the token as well, engine module can also provide X509_STORE method, which can be used for certificate verification. I don't remember in which version of OpenSSL support for engine-provided X509_STORE method is appeared. Things are somewhat worse for certificates for the your private key. There was no ENGINE api to load certificates from token in the 0.9.8 version. In the 1.0.0 function ENGINE_load_ssl_client_cert appeared, which allows you to load certificate/private key pair given list of CA names acceptable by server. This function seems to be designed for use from SSL client certificate callback. But there still no API for loading SSL server certificate/key pair and for loading SMIME certificate/key pair, not to mention loading certificate with arbitrary extendedKeyUsage. But main problem is that when one want to use hardware token with OpenSSL, it typically means tha one want to use token with existing openssl applications, such as Apache, Lynx, OpenVPN etc. OpenVPN has some support for PKCS#11 modules, but I've never tried it. Other applications cannot make use of OpenSSL engine API without modifications. I'm not sure that they can work with X509_STORE method provided by engine, even this method is set as default. Some client applications such as lynx and wget are happy with X509_STORE_set_default_locations, but most server applications want greater control on trusted CA store. Few years ago I've submitted patch for PostgreSQL which allows to use keys loaded via ENGINE_load_private_keys to connect to PostgreSQL database and this patch got into PostgreSQL 8.3 version. But that time there was no API to load certificates. Now, when we have ENGINE_load_ssl_client_cert and PostgreSQL 8.4 have certificate authentication support may be it is time for new patch. > Thank you in advance. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
