On Mon, Oct 13, 2014, Fredrik Jansson wrote: > Hi! > > I have a device where I cannot access the client certificate's private > key directly, but have access to verification and signature functions. > > The certificate, in DER format, is accessible. > > I need to use client certificates in my TLS connection and found the > SSL_CTX_set_client_cert_cb function. I can convert the encoded cert to > a X509 structure and return that, but I cannot provide it with a > EVP_PKEY object. > > Is there any way I can instruct any of the SSL_CTX, SSL or EVP_PKEY > objects to call a signature function (that I provide) during the > handshake? >
An EVP_PKEY structure doesn't have to contain the private key components it can contain just the public components. Private key operations can be redirected to a function which performs the necessary operation. How you do that depends on the signing function you have available. Typically you'll write a *_METHOD for the key type and an ENGINE to contain it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
