Hi Michael,
I see what you mean. So once I have everything setup, i use the following to get the private key:
EVP_PKEY *pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, transfer_pin, &cb_data);
Will pkey actually contain the private key from the smart card? I thought it was not possible to get a private key from a smart card?
Once I have pkey, do I simply use it within the client_cert_cb callback function?
Thanks,
George
On 2020-12-14 10:58 a.m., Michael Wojcik wrote:
I see what you mean. So once I have everything setup, i use the following to get the private key:
EVP_PKEY *pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, transfer_pin, &cb_data);
Will pkey actually contain the private key from the smart card? I thought it was not possible to get a private key from a smart card?
Once I have pkey, do I simply use it within the client_cert_cb callback function?
Thanks,
George
On 2020-12-14 10:58 a.m., Michael Wojcik wrote:
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of George Sent: Monday, 14 December, 2020 08:15Thanks for your response. It looks like I don't already have the PPP and PPPD.You don't need PPP to use a smartcard or other PKCS#11 device. Jan just mentioned the source as a exemplar of the interactions your code will need to have with OpenSSL.Are there any other ways to get the Smart Card to work without needing to install additional software?Probably not. OpenSSL's PKCS#11 Engine implements the PKCS#11 API. That API needs a way to talk to the particular PKCS#11-compatible hardware you're using. That means it needs a driver, and generally some configuration as well. It's been a few years since I last played around with this - I got OpenSSL working with a NitroKey as part of a code-signing spike - but you'll need to investigate PKCS#11 support for your particular device. There are Open Source projects such as OpenSC which may give you part or all of what you need to get OpenSSL's PKCS#11 Engine working with your hardware. When I did it, it wasn't trivial. I spent a couple of days on investigation and experimenting before I got anything working, and a couple more days making sure I understood the entire process and documenting procedures that worked consistently. (With some applications I had persistent problems such as Windows insisting on prompting for the device PIN instead of letting me supply it programmatically, but I think that was only when using Microsoft APIs rather than going through OpenSSL.) If the client certificate uses a public key that corresponds to a private key on the smartcard, though, that's what you'll have to do. You can't use a certificate as a proof of identity without the corresponding private key. (Some HSMs and other crypto devices have support for exporting private keys, often as multiple shares, for backup and cloning purposes. Using that to get the private key for direct use defeats the whole purpose of an HSM, of course, so that shouldn't be used to bypass the card.) -- Michael Wojcik
