I need some help to establish a communication channel to consume a webservice
using SSLv3 with mutual authentication, libcurl and a smart card, which will
store the client certificate, the key pair and will be responsible for
signatures, encryptions, etc.
For testing purposes, without using the smart card, the following brief code
(SOAP message configurations)
curl_easy_setopt (curl, CURLOPT_USE_SSL, CURLUSESSL_ALL);
curl_easy_setopt (curl, CURLOPT_SSLVERSION, 3);
curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
curl_easy_setopt (curl, CURLOPT_SSLCERT, "clientCertificateFile");
curl_easy_setopt (curl, CURLOPT_KEYPASSWD, "testPrivateKeyPass");
curl_easy_setopt (curl, CURLOPT_SSLKEY, "testPrivateKeyFile");
curl_easy_setopt (curl, CURLOPT_CAINFO, "CAcertificateFile");
curl_easy_setopt (curl, CURLOPT_URL, "URLtoWebService");
After running this code, I can establish communication using SSLv3
and get the expected response from the webservice. However, I need to
establish this secure channel using the smart card. I have free access
to the following information:
"clientCertificateFile" - stored on the smart card, in PEM format. It can be
read through access function.
"CAcertificateFile" - stored on disk, in PEM format. It can be read through
"URLtoWebService" - stored in the application.
"testPrivateKeyFile" and "testPrivateKeyPass" are temporary files
used only for testing and should be replaced by the smart card.
My doubt is: How to use the smart card to replace the private key and password
in the libcurl setup process?
The smart card does not allow access to private key, only to the
public key, as expected. However, I can send to the smart card data to be signed
or encrypted, using the private key, and get the resulting buffer.
Is there any way to redirect part of the SSLv3 connection handshake to use my
smart card? Some setting in lib ssl, or libcurl?
Thanks for listening!
List admin: https://cool.haxx.se/list/listinfo/curl-library