Hello. I proved a ssl connection with clienta authentification with files and
works fine:
This was the client: http://h71000.www7.hp.com/doc/83final/ba554_90007/ch05s03.
and this the server:
http://h71000.www7.hp.com/doc/83final/ba554_90007/ch05s04.html
It works good but with the certiificates and files in the HDD.
Now i want to to the same, but the cliente took the certificate and key form my
smartcard. For this I used the engine PKCS11, but I never have used and engine
and i don't now if my code is good.
I replaced the correspondig certificates an CA certificates and charge the
engien to use the private key from my card. the code is:
if(verify_client == ON) { /* Load the client
certificate into the SSL_CTX structure */ if
(SSL_CTX_use_certificate_file(ctx, RSA_CLIENT_CERT, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr); exit(1);
} /* Load the private-key corresponding to the client
certificate */
//LOad engein and do pre commands ENGINE_load_dynamic(); _engine
= ENGINE_by_id("dynamic"); if (_engine == NULL) { printf("No hay
engine\n"); return -1; } char *enginePath =
"/usr/lib/engines/engine_pkcs11.so"; if (!ENGINE_ctrl_cmd_string(_engine,
"SO_PATH", enginePath,0)) { printf("falla 1\n");
return -1; }
char *id = "pkcs11"; if (!ENGINE_ctrl_cmd_string(_engine, "ID",
id,0)) { printf("falla id\n"); return -1; }
if (!ENGINE_ctrl_cmd_string(_engine, "LIST_ADD", "1", 0)) {
printf("falla el add\n"); return -1; } if
(!ENGINE_ctrl_cmd_string(_engine, "LOAD", NULL, 0)) {
printf("falla el load\n"); return -1; } char
*modulePath = "/usr/lib/opensc-pkcs11.so"; if (!ENGINE_ctrl_cmd_string(_engine,
"MODULE_PATH",modulePath, 0)) { printf("falla el modulo\n");
return -1; } printf("exito al cargar el engine\n");
//Sucess
if (!ENGINE_init(_engine)) { printf("Engine no iniciado\n");
return -1; }
// Correct KEY ID char *keyName =
"4130363036413235323630323641303230313030313230313032343035"; EVP_PKEY *key =
ENGINE_load_private_key(_engine, keyName, NULL, NULL);
if (SSL_CTX_use_PrivateKey(ctx,key) <= 0) {
ERR_print_errors_fp(stderr); exit(1); }
/* Check if the client certificate and private-key matches */
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public key\n");
exit(1); } }
When i run the client i dont obtain any fail. The engine ask my the pin for to
load private key. i introduce the correct PIN and the check private key dont
say any error. But hen i obtain this error in the client:
PKCS#11 token PIN: //here i introduce the correct pin -> NO ERRORs
4259:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:951:
and in the server i obtain this error:
SSL connection using (NONE)The SSL client does not have certificate.Received 0
chars:''
The client does not have certificate?
Whats my problem?
Thanks
_________________________________________________________________
¿Quieres saber qué PC eres? ¡Descúbrelo aquí!
http://www.quepceres.com/
