[openssl-users] Getting certificates from smartcards

Victor Wagner vitus at wagner.pp.ru
Tue Jul 21 11:20:03 UTC 2015

On Tue, 21 Jul 2015 06:58:24 +0000 (UTC)
Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote:

> Hello,
> I would like to utilize the ENGINE_load_ssl_client_cert() function to
> load a certificate from my smart card. I have successfully loaded the
> engine and have also tried to play around with the
> ENGINE_load_private_key() function. It worked successfully and I was
> able to get the private key in an EVP_PKEY object. But I also want
> the certificate associated with it. I looked at the code of
> ENGINE_load_ssl_client_cert() but cannot understand the parameters
> passed to it. Can someone please guide me on how to use it and
> perhaps give a working example of the call to that function with the
> parameters clearly mentioned and explained? Thanks in advance. 

As far as I can understand, this function is designed to be called from
the client certificate callback, set with function
SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure
(which should be passed to ENGINE_load_ssl_client_cert) and can use
SSL_get_client_CA_list to obtain list of CAs, which server would trust.
(SSL protocol allows to send this list to client).

So, you would pass to the ENGINE_load_ssl_client_certs

1. reference to engine to use
2. pointer to SSL object of your client connection (don't know why it
might be needed), 
3. list of CA distinguished names (ca_dn) which server would trust.
You can obtain it from the SSL structure passed to your callback and
possibly filter something out of it.
4. Three pointers to variables where result should be placed - 
one for certificate, other for private key and third for the stack of
intermediate CA certificates
5. UI method and its callback data (which you should be already
familiar with, because you have successfully managed to use

Engine ought to find certificate-private key pair, where certificate is
issued by one of the CA in the list you pass (or at least chain of
trust from it to one of these CAs can be build)

Then engine asks user for PIN-code of private key and returns all the
objects - certificate, private key and chain of trust from this
certificate to one of CAs you've passed to it.

Probably, there can be situation where more than one certificate in the
hardware token matches given criteria (issued by one of given CA).
In this case engine should use ui_method to ask user which one of them
he wants to use.

Unfortunately, I do not know any engine which does all the things above.
I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found
out that it doesn't support this function.

So I have to copy certificate out of token into file using pkcs11-tool
and use ENGINE_load_private_key to load key from token.

More information about the openssl-users mailing list