On Thursday, Apr 3, 2003, at 10:34 Etc/GMT, Andreas Jellinghaus wrote:
Hi,
David Mattes wrote:This is a request for information. Does anyone have any experience
using OpenSSL with smartcards in Linux? Are you using the Trustway
PKCS11 OpenSSL patch? I'm investigating the use of a smartcard to
negotiate an stunnel. Stunnel uses the OpenSSL libraries, and it seems
that OpenSSL crypto engine support is slowly getting more mature with
0.9.7a.
I tried openssl + trustway patch + opensc.
It seems to work, but the pkcs11 engine in openssl doesn't ask for pins,
does not login, and thus does not find my key. It is written for a pci
hardware crypto board, and I guess they don't need login/pin/puk/so pin/
so puk and stuff like that.
The HSM might require that the PIN is entered on a keypad connected directly to it. The PKCS#11 user is then considered connected on all new connections.
You could probably emulate this with a smart card. When a PIN is presented to a card, the user (cardholder) is authenticated for all incoming commands, until it is "deauthenticated" or the card is reset/powered down. If you write a small external application that just asks for the user PIN and presents it to the card, the card is "opened" until your remove it from the reader.
Some cards require PIN presentation on each key access, but they are not the most common ones.
Also to use a private key you need to have the public key as file on your hard disk. Thats strange, I guess keys have an id in pkcs#11 so the code could lookup the key by ID?
IMHO it is just because much of the openssl API relies on file management.
result: nice patch, but not written for smartcards. however improving it for smartcards shouldn't be too hard, openssl has already some infrastructure (e.g. for asking a pin before loading the key / use of a pin passed somehow).
The openssl functions I have seen allow to pass a callback to get the authentication done.
Cheers, JLuc.
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
