There exists engine_pkcs11, but I'm seeing caveats that it can only work if OpenSSL is statically linked. This may have changed. (It also apparently only does RSA.)
-Kyle H On Tue, Apr 8, 2014 at 10:31 AM, whitehat <r3...@hotmail.com> wrote: > Hi > I am using OpenSSL 1.0.2 on Windows 7 (Visual Studio) and I am trying to use > a third part pkcs11 library to sign a certificate signing request (csr). > > The private and public keys are generated and stored on a usb token, and > there is no way of accessing them as files or blobs, but only attributes. > > I have created the certificate request using X509_REQ_new() and its related > functions, but I am not able to sign the certificate request (using > X509_REQ_sign) as I don't have access to the private, or even the public > key. > > I can only call the pkcs11 function C_SignInit/C_Sign to perform rsa signing > on a given data, and I can only extract the public key's public exponent and > modulus. > > I have read that one way to solving this is by using an engine that performs > the signing, but the usb vendor doesn't provide an openssl engine, so I > think I have no choice but to somehow inject the modulus and exponent into > the publickey structure EVP_PKEY and somehow rewrite the signing function > X509_REQ_sign so that it internally calls my token's sign function..? > > Any help is highly appreciated, Thank you! > > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/applying-usb-token-generated-signature-to-certificate-request-csr-tp49151.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
