Hi Tobias,
On 23/10/19 10:11, tobias.w...@t-systems.com wrote:
Our PKCS11 module development will discontinue and therefore I can`t use it
anymore, but the idea is great and very interesting.
To give more details we need a callback or similar mechanism to replace the
signature created in Certificate TLS message with our signature coming from the
card reader.
TLS handshake
......
S: Certificate Request
C: Certificate Verify --> here we want to hook in "Signature" and replace the
value!
.....
We tried already with the client callback
int (*client_cert_cb)(SSL *ssl, X509 **x509,
EVP_PKEY **pkey));
But there it is mandatory to give in the private key which we don`t have,
because that part is done by the card reader machine.
I think the caller of the callback is doing later on a rsa sign processing with
the private key and there I want to hook in!
writing your own engine might be the easiest thing: the way it
currently(most likely) works, is
openssl -> engine_pkcs11 -> libp11 -> pkcs11 driver
all you'd have to do is move your pkcs11 driver code into a fork of the
engine_pkcs11 code. That code is less than 2000 lines long, so it should
be fairly straightforward.
JM2CW,
JJK
