[openssl-users] Getting certificates from smartcards
Dr. Stephen Henson
steve at openssl.org
Tue Jul 21 12:40:16 UTC 2015
On Tue, Jul 21, 2015, Victor Wagner wrote:
> On Tue, 21 Jul 2015 06:58:24 +0000 (UTC)
> Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote:
>
> As far as I can understand, this function is designed to be called from
> the client certificate callback, set with function
> SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure
> (which should be passed to ENGINE_load_ssl_client_cert) and can use
> SSL_get_client_CA_list to obtain list of CAs, which server would trust.
> (SSL protocol allows to send this list to client).
>
It's intended to be called automatically when SSL_CTX_set_client_cert_engine
sets up a "client authentication ENGINE".
> So, you would pass to the ENGINE_load_ssl_client_certs
>
> 1. reference to engine to use
> 2. pointer to SSL object of your client connection (don't know why it
> might be needed),
This is there so the ENGINE can query other properties of the connection which
might decide which chain to use. For example the supported signature
algorithms.
>
> Unfortunately, I do not know any engine which does all the things above.
> I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found
> out that it doesn't support this function.
>
The CrytpoAPI ENGINE performs some of these tasks but so far it is the only
one I'm aware of.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list