I'm currently working on a similar task during the development of a TLS client (with client-side authentication), using a PKCS#11 hardware token.
The main problem we encountered is that we cannot access the private key stored in the token; Therefore we made an engine which implements RSA signature methods, and used a fake private key file to make OpenSSL think the user cert & private key are present (state SSL3_ST_CW_CERT_B in d1_clnt.c) to be able to run to the CertificateVerify message signature state, which is performed by our engine using our user private key inside the token. Actually it works, but this approach doesn't feel right as we basically fool the api... I wondered if someone had a better idea of how to do this properly, like a way to make OpenSSL know the engine will handle the private key itself and will not extract it, it would be very helpfull. Best regards, Nicolas 2009/11/16 Victor B. Wagner <vi...@cryptocom.ru> > On 2009.11.13 at 04:44:02 -0800, Mansour Dagher wrote: > > > Hi all, > > > > > > if certificates and associated keys are stored on HW (Sun crypto card for > example), is there a way in openssl to specify the card as the location of > these certificates/kets? > > > > It appears from the methods below, the openSSL only takes filesystem > directory paths and file names as input for certificate/key locations: > > > > X509_STORE_load_locations() > > SSL_CTX_use_certificate_chain_file() > > SSL_CTX_use_PrivateKey_file() > > > > Any suggestions/thought? > > There is SSL_CTX_use_PrivateKey which allows you to use private key > already loaded into memory as EVP_PKEY structure. > > There is ENGINE_load_private_key function, which allows to create > EVP_PKEY structure engine-specific way. Engine is a module, which > handles interaction with some crypto hardware. Really this EVP_PKEY can > contain just reference for key stored in the hardware. > > If engine-initialization code sets up an RSA/DSA/other PKEY method which > knows how to hand of crypto operation to the hardware, you can use > key stored on the token (and never actually leaves it) for all > operations - either PKCS7/CMS/SMIME or SSL/TLS. > > If you store trusted CA certificates on the token as well, engine module > can also provide X509_STORE method, which can be used for certificate > verification. I don't remember in which version of OpenSSL support for > engine-provided X509_STORE method is appeared. > > Things are somewhat worse for certificates for the your private key. > > There was no ENGINE api to load certificates from token in the 0.9.8 > version. > > In the 1.0.0 function ENGINE_load_ssl_client_cert appeared, which allows > you to load certificate/private key pair given list of CA names > acceptable by server. This function seems to be designed for use from > SSL client certificate callback. > > But there still no API for loading SSL server certificate/key pair and > for loading SMIME certificate/key pair, not to mention loading > certificate with arbitrary extendedKeyUsage. > > But main problem is that when one want to use hardware token with > OpenSSL, it typically means tha one want to use token with existing > openssl applications, such as Apache, Lynx, OpenVPN etc. > > > OpenVPN has some support for PKCS#11 modules, but I've never tried it. > > Other applications cannot make use of OpenSSL engine API without > modifications. > > I'm not sure that they can work with X509_STORE method provided by > engine, even this method is set as default. Some client applications > such as lynx and wget are happy with X509_STORE_set_default_locations, > but most server applications want greater control on trusted CA store. > > Few years ago I've submitted patch for PostgreSQL which allows to use > keys loaded via ENGINE_load_private_keys to connect to PostgreSQL > database and this patch got into PostgreSQL 8.3 version. > But that time there was no API to load certificates. Now, when we have > ENGINE_load_ssl_client_cert and PostgreSQL 8.4 have certificate > authentication support may be it is time for new patch. > > > > > > > > > Thank you in advance. > > > > > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
