On So, 19 Feb 2006, Karsten Ohme wrote:
> > And now I can display the full certificates from signtrust.de with openssl.
> > So there might be no further problem doing the next step and trying to sign
> > outgoing mails with my MUA mutt.
>
> What application you use to access the card?
> For signing anything the certificates do not help very much. You need an
> application which can sign on the card with the private key.
Yes, that's the point.
I can access the card using the pkcs11-tool for accessing the cryptographic
tokens (keys, certificates) on a higher, more application like, layer.
And pkcs15-tool for accessing the the cryptographic objects on a more
file-like base.
And of course the opensc-explorer to get details on the card itself.
For accessing the keys I try to use a dynamic OpenSSL-engine
(engine_pkcs11.so) to provide access to the cryptographic tokens on the card.
For starting the mechanism I load the dynamic engine:
$ openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
-pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL> req -engine pkcs11 -new -key id_01
-keyform engine -out req.pem -text -x509 \
-subj "/CN=Georg Lohrer"
to get a self-signed certificate signed with the key with id 01 on the card.
I don't have tested it with a pinpad-reader at all, with the GemPC Twin
openssl-pkcs11-engine-lib let me enter the pin for accessing key on my usual
keyboard.
All these given '-pre' values could be packed into a openssl-config file and
will be used directly without explicit commandline parameters.
The next step will be to use the 'smime' command of OpenSSL to sign an
infile:
$ openssl smime -config ./openssl.cnf -engine pkcs11 -sign -signer <my_cert>
-keyform engine -in tosign -outform DER
But I have not reached this step now, because I have to tuck the children to
bed :-)
Ciao, Georg
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
