Hi,
I'm new to OpenSSL and am trying to set up mutual authentication
in a client. The client is setup with OpenSSL 1.0.2u. and the
client's certificate + private key is stored on a Smart Card. When
the client receives a certificate request from the server during the
mutual authentication handshake, the OpenSSL client_cert_cb
callback function is automatically invoked. The problem is that client_cert_cb
requires a private key. Unfortunately, it is not possible to get a
private key from a Smart Card. Is there a way to send a certificate
to the server without needing the private key?
I'm setting up the callback function with:
void
SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL
*ssl, X509 **x509, EVP_PKEY **pkey));
Here is a sample of what my code looks like when I set this up:
SSL_CTX_set_client_cert_cb(context,
openSSLClientAuthenticationCallBack);
int openSSLClientAuthenticationCallBack(SSL *ssl, X509
**x509, EVP_PKEY **pkey)
{
. . .
}
I can access the Smart Card using the PKCS#11 interface and I'm able
to get the certificate and sign it, etc. However, I cannot get the
actual private key from the Smart Card.
Does anyone know how I can get around this problem?
Thanks,
George
