[openssl-users] Loading pkcs11 engine opensc without using command line

Dr. Stephen Henson steve at openssl.org
Fri Jul 17 00:10:27 UTC 2015 

On Thu, Jul 16, 2015, Anirudh Raghunath wrote:

> Hello, 
> 
> I want to write a program in which I can load a certificate from a smartcard instead of having it in a file on the client machine. In order to do so I will be using the opensc's engine_pkcs11 module. The module works fine using the shell but I want to implement it as an independent program. For example if I use the rsautl module then I can provide the inkey option and keyform option to use the private key from the smartcard. Look at the snippet below:
> openssl rsautl -sign -in file -keyform engine -engine pkcs11 -inkey slot_1-id_54a4c9bdaf3ff82b3367b586a6658c23 -out sig
> In order to do so I have to load the engine first. I do that as follows:
> 
>     openssl engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
> 
> which yields the result:
> 
> 
>     (dynamic) Dynamic engine loading support
>     [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>     [Success]: ID:pkcs11
>     [Success]: LIST_ADD:1
>     [Success]: LOAD
>     [Success]: MODULE_PATH:opensc-pkcs11.so
>     Loaded: (pkcs11) pkcs11 engine
> 
> 
> I want to do the same using C code in an independent program so that I can use the:
> 
> 
>     static X509 *pkcs11_load_cert(ENGINE * e, const char *s_slot_cert_id)
> function to get the certificate from the smart card.
> 
> So I tried to debug engine.c using ddd debugger to understand exactly which part of the code was required to just load the engine. In the same program I want to use the opensc function to load certificate directly from the smartcard and then use it in further server client communication.
> 

You may be able to make use of the automatic dynamic engine loading mechanism
to simplify things. You can pass the ENGINE DSO path as the ENGINE name or to
the function ENGINE_by_id() and it should load it.

I suggest you try it with the command line utility first.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list