Hi,
I'd like to make an enhancement to engine_pkcs, so I'm sending a
message to the community beforehand for feedback.
engine_pkcs does not currently provide a way to get a certificate from
a PKCS#11 hard token when accessed from OpenSSL. I'd like to enhance
the engine to support the OpenSSL ENGINE_load_ssl_client_cert()
function, which returns among other things a x509 certificate. Since
the function provides no way that I can see to specify which
certificate to "load", I would do this by adding a method to the
engine to set the certificate name before actually getting the
certificate. The way the function would be used when interfacing with
OpenSSL would be roughly as follows:
// Set the certificate name (slot-id) to use for a subsequent
certificate request
ENGINE_ctrl_cmd(e, "CERT_ID", strlen(cert_name), cert_name, NULL, 0));
// Get the certificate from the engine
ENGINE_load_ssl_client_cert(e, https_ssl, ca_dn, &cert,
&key,&othercerts, NULL,NULL)
// Use the certificate when establishing an SSL session
SSL_CTX_use_certificate(https_ctx, cert);
The model is similar to the way that engine is used for setting the
PIN as follows:
ENGINE_ctrl_cmd(e, "PIN", strlen(pin), pin, NULL, 0);
Subsequent engine private key functions use the PIN if one set;
otherwise, the user is prompted.
Any feedback would be greatly appreciated.
Thanks,
Peter
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
