[openssl-users] Getting certificates from smartcards

Dr. Stephen Henson steve at openssl.org
Tue Jul 21 12:40:16 UTC 2015

On Tue, Jul 21, 2015, Victor Wagner wrote:

> On Tue, 21 Jul 2015 06:58:24 +0000 (UTC)
> Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote:
> As far as I can understand, this function is designed to be called from
> the client certificate callback, set with function
> SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure
> (which should be passed to ENGINE_load_ssl_client_cert) and can use
> SSL_get_client_CA_list to obtain list of CAs, which server would trust.
> (SSL protocol allows to send this list to client).

It's intended to be called automatically when SSL_CTX_set_client_cert_engine
sets up a "client authentication ENGINE".

> So, you would pass to the ENGINE_load_ssl_client_certs
> 1. reference to engine to use
> 2. pointer to SSL object of your client connection (don't know why it
> might be needed), 

This is there so the ENGINE can query other properties of the connection which
might decide which chain to use. For example the supported signature

> Unfortunately, I do not know any engine which does all the things above.
> I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found
> out that it doesn't support this function.

The CrytpoAPI ENGINE performs some of these tasks but so far it is the only
one I'm aware of.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list