I m Ok that the whole point of using a smart card is that we can't extract keys.. I learned that OPENSSL using the API pkcs#11 must communication with a middleware called openSC that really comunicate with the card.. the problem is that opensc, do not understand the structure of card if it is non standard ( exple pkcs#15). SO: 1- I should write an emulation driver that will create a structure ( similar to pkcs#15) in host memory to allow the middleware to know the structure ( exple: ID/path of keys) 2- I should write a driver card to make opensc doing basic commands, such as sign data with that key(if needed ) -> the outputs will be understood by openssl.
I'm thinking about another solution: why not creating a new module ( in place of eap-tls) that freeradius will use to apply eap-tls via "APDU outputs" of card instead of openssl. client must have the same structure of messages to send! *Another question to consider is if a smartcard will give you adequate performance for your server load, a different type of hardware based key management might be more appropriate than using a smartcard for a server. Smartcards are typically used for "client" authentication and signing where the volume of cryptographic operations is relatively low. *if i will be able to connect one card, i will use many cards to connect with server to optimize the performences and the access to the data.. can you give me an exemple of other hardware key management usable for that aim?! thanks a lot!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
