Nicolas Pelloux-Prayer wrote:
I'm currently working on a similar task during the development of a
TLS client (with client-side authentication), using a PKCS#11 hardware
token.
The main problem we encountered is that we cannot access the private
key stored in the token; Therefore we made an engine which implements
RSA signature methods, and used a fake private key file to make
OpenSSL think the user cert & private key are present (state
SSL3_ST_CW_CERT_B in d1_clnt.c) to be able to run to the
CertificateVerify message signature state, which is performed by our
engine using our user private key inside the token.
yes, you can't acccess the private key in a token, otherwise you could
copy it, which would invalidate the whole point of using a token in the
first place.
Actually it works, but this approach doesn't feel right as we
basically fool the api... I wondered if someone had a better idea of
how to do this properly, like a way to make OpenSSL know the engine
will handle the private key itself and will not extract it, it would
be very helpfull.
see http://www.opensc-project.org/engine_pkcs11/
good luck figuring out how to use it though. I found this,
http://www.openssl.org/docs/crypto/engine.html and can't even find links
to the specific ENGINE_xxxx apis. in fact, coming in the front door at
http://www.openssl.org/docs/ I don't even see a link to that page?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
