[openssl-users] Getting certificates from smartcards
anirudhraghunath at rocketmail.com
Tue Jul 21 20:56:06 UTC 2015
Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks
On Tuesday, 21 July 2015 8:19 PM, Victor Wagner <vitus at wagner.pp.ru> wrote:
On Tue, 21 Jul 2015 13:58:21 +0000 (UTC)
Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote:
> Ah okay, that clears up quite a lot of doubts. But the certificate I
> want to load is a self signed certificate which has a private key
> attached to it. I used the XCA application to export the
> certificate-private key pair as a p12 file to the smart card. What
> should I do to get the certificate in this case? Thanks.
It doesn't matter how you've installed certificate into smart card.
Once it, and its corresponding private key is installed on the card,
you can access them separately, using PKCS#11 API (and command-line
pkcs11-tool utility). So, you can extract just certificate from
certificate-private key pair and put it into the file (but typically
you cannot extract private key. You can only use PKCS11 API or OpenSSL
ENGINE API on top of it to perform cryptographic operations with this
private key. This is what smartcards are for).
If you have opensc pkcs11 engine, you also should have pkcs11-tool from
pkcs11-tool --module <your pkcs11 module> --list-objects
to find out which certificate-private key pairs are available on your
card (you probably already know ID of your key pair, because you've used
ENGINE_load_private_key, and it requires key id as argument).
pkcs11-tool --module <your pkcs11 module> --write-object <id>
--type cert --output-file filename.der
to extract certificate from card. You can then convert it to pem
openssl x509 -in filename.der -inform DER -out filename.pem
or can just use function SSL_CTX_use_certificate_file passing
SSL_FILETYPE_ASN1 as its argument.
Personally I consider it ugly that one need to extract certificate from
token before it can be used in openssl-based applications for any
purpose except SSL-client authentication.
int ENGINE_load_certificate(ENGINE *e, const char *key id,
UI_METHOD *ui_method, void *callback_data)
is clearly missing from API.
Existence of such function would allow to use smartcards and other
hardware tokens to be used
1. In the server applications
2. In the non-SSL (i.e. CMS signing) applications
3. For secondary protocols like OCSP or timestamping authority.
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users