Re: [openssl-users] Getting certificates from smartcards
Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks. On Tuesday, 21 July 2015 10:56 PM, Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks On Tuesday, 21 July 2015 8:19 PM, Victor Wagner vi...@wagner.pp.ru wrote: On Tue, 21 Jul 2015 13:58:21 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks. It doesn't matter how you've installed certificate into smart card. Once it, and its corresponding private key is installed on the card, you can access them separately, using PKCS#11 API (and command-line pkcs11-tool utility). So, you can extract just certificate from certificate-private key pair and put it into the file (but typically you cannot extract private key. You can only use PKCS11 API or OpenSSL ENGINE API on top of it to perform cryptographic operations with this private key. This is what smartcards are for). If you have opensc pkcs11 engine, you also should have pkcs11-tool from opensc project. Use pkcs11-tool --module your pkcs11 module --list-objects to find out which certificate-private key pairs are available on your card (you probably already know ID of your key pair, because you've used ENGINE_load_private_key, and it requires key id as argument). Then use pkcs11-tool --module your pkcs11 module --write-object id --type cert --output-file filename.der to extract certificate from card. You can then convert it to pem format using openssl x509 -in filename.der -inform DER -out filename.pem or can just use function SSL_CTX_use_certificate_file passing SSL_FILETYPE_ASN1 as its argument. Personally I consider it ugly that one need to extract certificate from token before it can be used in openssl-based applications for any purpose except SSL-client authentication. Function int ENGINE_load_certificate(ENGINE *e, const char *key id, UI_METHOD *ui_method, void *callback_data) is clearly missing from API. Existence of such function would allow to use smartcards and other hardware tokens to be used 1. In the server applications 2. In the non-SSL (i.e. CMS signing) applications 3. For secondary protocols like OCSP or timestamping authority. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting certificates from smartcards
On Tue, 21 Jul 2015 13:58:21 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks. It doesn't matter how you've installed certificate into smart card. Once it, and its corresponding private key is installed on the card, you can access them separately, using PKCS#11 API (and command-line pkcs11-tool utility). So, you can extract just certificate from certificate-private key pair and put it into the file (but typically you cannot extract private key. You can only use PKCS11 API or OpenSSL ENGINE API on top of it to perform cryptographic operations with this private key. This is what smartcards are for). If you have opensc pkcs11 engine, you also should have pkcs11-tool from opensc project. Use pkcs11-tool --module your pkcs11 module --list-objects to find out which certificate-private key pairs are available on your card (you probably already know ID of your key pair, because you've used ENGINE_load_private_key, and it requires key id as argument). Then use pkcs11-tool --module your pkcs11 module --write-object id --type cert --output-file filename.der to extract certificate from card. You can then convert it to pem format using openssl x509 -in filename.der -inform DER -out filename.pem or can just use function SSL_CTX_use_certificate_file passing SSL_FILETYPE_ASN1 as its argument. Personally I consider it ugly that one need to extract certificate from token before it can be used in openssl-based applications for any purpose except SSL-client authentication. Function int ENGINE_load_certificate(ENGINE *e, const char *key id, UI_METHOD *ui_method, void *callback_data) is clearly missing from API. Existence of such function would allow to use smartcards and other hardware tokens to be used 1. In the server applications 2. In the non-SSL (i.e. CMS signing) applications 3. For secondary protocols like OCSP or timestamping authority. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting certificates from smartcards
Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks On Tuesday, 21 July 2015 8:19 PM, Victor Wagner vi...@wagner.pp.ru wrote: On Tue, 21 Jul 2015 13:58:21 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks. It doesn't matter how you've installed certificate into smart card. Once it, and its corresponding private key is installed on the card, you can access them separately, using PKCS#11 API (and command-line pkcs11-tool utility). So, you can extract just certificate from certificate-private key pair and put it into the file (but typically you cannot extract private key. You can only use PKCS11 API or OpenSSL ENGINE API on top of it to perform cryptographic operations with this private key. This is what smartcards are for). If you have opensc pkcs11 engine, you also should have pkcs11-tool from opensc project. Use pkcs11-tool --module your pkcs11 module --list-objects to find out which certificate-private key pairs are available on your card (you probably already know ID of your key pair, because you've used ENGINE_load_private_key, and it requires key id as argument). Then use pkcs11-tool --module your pkcs11 module --write-object id --type cert --output-file filename.der to extract certificate from card. You can then convert it to pem format using openssl x509 -in filename.der -inform DER -out filename.pem or can just use function SSL_CTX_use_certificate_file passing SSL_FILETYPE_ASN1 as its argument. Personally I consider it ugly that one need to extract certificate from token before it can be used in openssl-based applications for any purpose except SSL-client authentication. Function int ENGINE_load_certificate(ENGINE *e, const char *key id, UI_METHOD *ui_method, void *callback_data) is clearly missing from API. Existence of such function would allow to use smartcards and other hardware tokens to be used 1. In the server applications 2. In the non-SSL (i.e. CMS signing) applications 3. For secondary protocols like OCSP or timestamping authority. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting certificates from smartcards
On Tue, 21 Jul 2015 06:58:24 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: Hello, I would like to utilize the ENGINE_load_ssl_client_cert() function to load a certificate from my smart card. I have successfully loaded the engine and have also tried to play around with the ENGINE_load_private_key() function. It worked successfully and I was able to get the private key in an EVP_PKEY object. But I also want the certificate associated with it. I looked at the code of ENGINE_load_ssl_client_cert() but cannot understand the parameters passed to it. Can someone please guide me on how to use it and perhaps give a working example of the call to that function with the parameters clearly mentioned and explained? Thanks in advance. As far as I can understand, this function is designed to be called from the client certificate callback, set with function SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure (which should be passed to ENGINE_load_ssl_client_cert) and can use SSL_get_client_CA_list to obtain list of CAs, which server would trust. (SSL protocol allows to send this list to client). So, you would pass to the ENGINE_load_ssl_client_certs 1. reference to engine to use 2. pointer to SSL object of your client connection (don't know why it might be needed), 3. list of CA distinguished names (ca_dn) which server would trust. You can obtain it from the SSL structure passed to your callback and possibly filter something out of it. 4. Three pointers to variables where result should be placed - one for certificate, other for private key and third for the stack of intermediate CA certificates 5. UI method and its callback data (which you should be already familiar with, because you have successfully managed to use ENGINE_load_private_key). Engine ought to find certificate-private key pair, where certificate is issued by one of the CA in the list you pass (or at least chain of trust from it to one of these CAs can be build) Then engine asks user for PIN-code of private key and returns all the objects - certificate, private key and chain of trust from this certificate to one of CAs you've passed to it. Probably, there can be situation where more than one certificate in the hardware token matches given criteria (issued by one of given CA). In this case engine should use ui_method to ask user which one of them he wants to use. Unfortunately, I do not know any engine which does all the things above. I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found out that it doesn't support this function. So I have to copy certificate out of token into file using pkcs11-tool and use ENGINE_load_private_key to load key from token. . ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Getting certificates from smartcards
Hello, I would like to utilize the ENGINE_load_ssl_client_cert() function to load a certificate from my smart card. I have successfully loaded the engine and have also tried to play around with the ENGINE_load_private_key() function. It worked successfully and I was able to get the private key in an EVP_PKEY object. But I also want the certificate associated with it. I looked at the code of ENGINE_load_ssl_client_cert() but cannot understand the parameters passed to it. Can someone please guide me on how to use it and perhaps give a working example of the call to that function with the parameters clearly mentioned and explained? Thanks in advance. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting certificates from smartcards
Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks. On Tuesday, 21 July 2015 2:40 PM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Jul 21, 2015, Victor Wagner wrote: On Tue, 21 Jul 2015 06:58:24 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: As far as I can understand, this function is designed to be called from the client certificate callback, set with function SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure (which should be passed to ENGINE_load_ssl_client_cert) and can use SSL_get_client_CA_list to obtain list of CAs, which server would trust. (SSL protocol allows to send this list to client). It's intended to be called automatically when SSL_CTX_set_client_cert_engine sets up a client authentication ENGINE. So, you would pass to the ENGINE_load_ssl_client_certs 1. reference to engine to use 2. pointer to SSL object of your client connection (don't know why it might be needed), This is there so the ENGINE can query other properties of the connection which might decide which chain to use. For example the supported signature algorithms. Unfortunately, I do not know any engine which does all the things above. I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found out that it doesn't support this function. The CrytpoAPI ENGINE performs some of these tasks but so far it is the only one I'm aware of. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting certificates from smartcards
On Tue, Jul 21, 2015, Victor Wagner wrote: On Tue, 21 Jul 2015 06:58:24 + (UTC) Anirudh Raghunath anirudhraghun...@rocketmail.com wrote: As far as I can understand, this function is designed to be called from the client certificate callback, set with function SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure (which should be passed to ENGINE_load_ssl_client_cert) and can use SSL_get_client_CA_list to obtain list of CAs, which server would trust. (SSL protocol allows to send this list to client). It's intended to be called automatically when SSL_CTX_set_client_cert_engine sets up a client authentication ENGINE. So, you would pass to the ENGINE_load_ssl_client_certs 1. reference to engine to use 2. pointer to SSL object of your client connection (don't know why it might be needed), This is there so the ENGINE can query other properties of the connection which might decide which chain to use. For example the supported signature algorithms. Unfortunately, I do not know any engine which does all the things above. I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found out that it doesn't support this function. The CrytpoAPI ENGINE performs some of these tasks but so far it is the only one I'm aware of. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users