On Tue, 21 Jul 2015 06:58:24 +0000 (UTC) Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote: > Hello, > I would like to utilize the ENGINE_load_ssl_client_cert() function to > load a certificate from my smart card. I have successfully loaded the > engine and have also tried to play around with the > ENGINE_load_private_key() function. It worked successfully and I was > able to get the private key in an EVP_PKEY object. But I also want > the certificate associated with it. I looked at the code of > ENGINE_load_ssl_client_cert() but cannot understand the parameters > passed to it. Can someone please guide me on how to use it and > perhaps give a working example of the call to that function with the > parameters clearly mentioned and explained? Thanks in advance. > As far as I can understand, this function is designed to be called from the client certificate callback, set with function SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure (which should be passed to ENGINE_load_ssl_client_cert) and can use SSL_get_client_CA_list to obtain list of CAs, which server would trust. (SSL protocol allows to send this list to client). So, you would pass to the ENGINE_load_ssl_client_certs 1. reference to engine to use 2. pointer to SSL object of your client connection (don't know why it might be needed), 3. list of CA distinguished names (ca_dn) which server would trust. You can obtain it from the SSL structure passed to your callback and possibly filter something out of it. 4. Three pointers to variables where result should be placed - one for certificate, other for private key and third for the stack of intermediate CA certificates 5. UI method and its callback data (which you should be already familiar with, because you have successfully managed to use ENGINE_load_private_key). Engine ought to find certificate-private key pair, where certificate is issued by one of the CA in the list you pass (or at least chain of trust from it to one of these CAs can be build) Then engine asks user for PIN-code of private key and returns all the objects - certificate, private key and chain of trust from this certificate to one of CAs you've passed to it. Probably, there can be situation where more than one certificate in the hardware token matches given criteria (issued by one of given CA). In this case engine should use ui_method to ask user which one of them he wants to use. Unfortunately, I do not know any engine which does all the things above. I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found out that it doesn't support this function. So I have to copy certificate out of token into file using pkcs11-tool and use ENGINE_load_private_key to load key from token. .