private key not available for client_cert_cb

George whippet0 at gmail.com
Mon Dec 14 07:08:05 UTC 2020


Hi,

    I'm new to OpenSSL and am trying to set up mutual authentication in 
a client. The client is setup with OpenSSL 1.0.2u. and the client's 
certificate + private key is stored on a Smart Card.  When the client 
receives a certificate request from the server during the mutual 
authentication handshake, the OpenSSL /client_cert_cb/ callback function 
is automatically invoked. The problem is that /client_cert_cb/ requires 
a private key. Unfortunately, it is not possible to get a private key 
from a Smart Card. Is there a way to send a certificate to the server 
without needing the private key?

I'm setting up the callback function with:

void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL 
*ssl, X509 **x509, EVP_PKEY **pkey));


Here is a sample of what my code looks like when I set this up:

SSL_CTX_set_client_cert_cb(context, *openSSLClientAuthenticationCallBack*);

int *openSSLClientAuthenticationCallBack*(SSL *ssl, X509 **x509, 
EVP_PKEY **pkey)
{
. . .
}


I can access the Smart Card using the PKCS#11 interface and I'm able to 
get the certificate and sign it, etc. However, I cannot get the actual 
private key from the Smart Card.

Does anyone know how I can get around this problem?


Thanks,
George

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201214/8534db3f/attachment.html>


More information about the openssl-users mailing list