Hello,
I hope this is the right group to ask.
For starters, I'm an OpenSSL newbie, so please forgive my ignorance.
I've done my best to research the topic before posting and have
learned a great deal. However, I'm at a sticking point now.
I'm trying to use the OpenSSL libraries in conjunction with a Spyrus
SmartCard reader and Rosetta Token on the Windows 2000 platform.
I've managed to compile the OpenSSL libraries (0.9.7h) along with the
latest Trustway patch and build my NT DLL.
I've made the appropriate calls to initialize the PKCS11 engine (for
brevity, I left out the result checks and error reporting):
ENGINE_load_builtin_engines();
e = ENGINE_by_id(engine_id);
ENGINE_init(e);
ENGINE_set_default_RSA(e);
ENGINE_set_default_DSA(e);
ENGINE_set_default_ciphers(e);
All this works without error (results check out ok).
So now I want to use this new functionality with some existing code I
have. This existing code makes its calls to initialize an SSL Context
and write encrypted data to buffers used in SSL Socket communication.
In this code, it currently specifies the cert and key files by making
calls to SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey_file.
This is where I get fuzzy. I've search the internet endlessly for an
example on how to use the PKCS11 engine to handle the encryption and
decryption based on the private key on the hardware token.
It is my understanding that the above engine calls should redirect the
RSA/DSA and cipher functions to the SmartCard and in turn the card
will use the Private Key stored on it to perform the requested
function.
But where I get lost is: how do I tell the engine what card to use,
and how do I tell the SSL Context to use the PKCS11 engine (aside from
my engine calls above)?
Also, I'm thinking that the engine needs to know what PKCS DLL to
load/use and that I need to specify that somehow.
So maybe I'm very close and need only to make a few other calls or
specify my parameters to SSL_CTX_use_XXXXX_file differently.
Or...maybe I'm way off in my expectation that the use of PKCS11 engine
is more or less transparent to me and that I will actually have to
make specific SmartCard calls in place of my existing SSL_CTX calls.
Any help would be greatly appreciated. I apologize if this is common
knowledge, but I have searched the web and read the documentation and
I just seem to be missing it. This could be my lack of OpenSSL
knowledge or my lack of sleep.
Anyhow, thanks again.
- Mark
I hope this is the right group to ask.
For starters, I'm an OpenSSL newbie, so please forgive my ignorance.
I've done my best to research the topic before posting and have
learned a great deal. However, I'm at a sticking point now.
I'm trying to use the OpenSSL libraries in conjunction with a Spyrus
SmartCard reader and Rosetta Token on the Windows 2000 platform.
I've managed to compile the OpenSSL libraries (0.9.7h) along with the
latest Trustway patch and build my NT DLL.
I've made the appropriate calls to initialize the PKCS11 engine (for
brevity, I left out the result checks and error reporting):
ENGINE_load_builtin_engines();
e = ENGINE_by_id(engine_id);
ENGINE_init(e);
ENGINE_set_default_RSA(e);
ENGINE_set_default_DSA(e);
ENGINE_set_default_ciphers(e);
All this works without error (results check out ok).
So now I want to use this new functionality with some existing code I
have. This existing code makes its calls to initialize an SSL Context
and write encrypted data to buffers used in SSL Socket communication.
In this code, it currently specifies the cert and key files by making
calls to SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey_file.
This is where I get fuzzy. I've search the internet endlessly for an
example on how to use the PKCS11 engine to handle the encryption and
decryption based on the private key on the hardware token.
It is my understanding that the above engine calls should redirect the
RSA/DSA and cipher functions to the SmartCard and in turn the card
will use the Private Key stored on it to perform the requested
function.
But where I get lost is: how do I tell the engine what card to use,
and how do I tell the SSL Context to use the PKCS11 engine (aside from
my engine calls above)?
Also, I'm thinking that the engine needs to know what PKCS DLL to
load/use and that I need to specify that somehow.
So maybe I'm very close and need only to make a few other calls or
specify my parameters to SSL_CTX_use_XXXXX_file differently.
Or...maybe I'm way off in my expectation that the use of PKCS11 engine
is more or less transparent to me and that I will actually have to
make specific SmartCard calls in place of my existing SSL_CTX calls.
Any help would be greatly appreciated. I apologize if this is common
knowledge, but I have searched the web and read the documentation and
I just seem to be missing it. This could be my lack of OpenSSL
knowledge or my lack of sleep.
Anyhow, thanks again.
- Mark
PS: I posted this on
the newsgroup with no response. I hope sending this to the mailing is
ok.
