Hi Michael,
I see what you mean. So once I have everything setup, i use the
following to get the private key:
EVP_PKEY *pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier,
transfer_pin, &cb_data);
Will pkey actually contain the private key from the smart card? I
thought it was not possible to get a private key from a smart card?
Once I have pkey, do I simply use it within the /client_cert_cb/
callback function?
Thanks,
George
On 2020-12-14 10:58 a.m., Michael Wojcik wrote:
From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of George
Sent: Monday, 14 December, 2020 08:15
Thanks for your response. It looks like I don't already have the PPP and
PPPD.
You don't need PPP to use a smartcard or other PKCS#11 device. Jan just
mentioned the source as a exemplar of the interactions your code will need to
have with OpenSSL.
Are there any other ways to get the Smart Card to work without needing to
install additional software?
Probably not.
OpenSSL's PKCS#11 Engine implements the PKCS#11 API. That API needs a way to
talk to the particular PKCS#11-compatible hardware you're using. That means it
needs a driver, and generally some configuration as well.
It's been a few years since I last played around with this - I got OpenSSL
working with a NitroKey as part of a code-signing spike - but you'll need to
investigate PKCS#11 support for your particular device. There are Open Source
projects such as OpenSC which may give you part or all of what you need to get
OpenSSL's PKCS#11 Engine working with your hardware.
When I did it, it wasn't trivial. I spent a couple of days on investigation and
experimenting before I got anything working, and a couple more days making sure
I understood the entire process and documenting procedures that worked
consistently. (With some applications I had persistent problems such as Windows
insisting on prompting for the device PIN instead of letting me supply it
programmatically, but I think that was only when using Microsoft APIs rather
than going through OpenSSL.)
If the client certificate uses a public key that corresponds to a private key
on the smartcard, though, that's what you'll have to do. You can't use a
certificate as a proof of identity without the corresponding private key. (Some
HSMs and other crypto devices have support for exporting private keys, often as
multiple shares, for backup and cloning purposes. Using that to get the private
key for direct use defeats the whole purpose of an HSM, of course, so that
shouldn't be used to bypass the card.)
--
Michael Wojcik
