openssl and external card reader support in TLS

Michael Wojcik Michael.Wojcik at
Tue Oct 22 15:00:15 UTC 2019

> From: openssl-users [mailto:openssl-users-bounces at] On Behalf Of Tobias.Wolf at
> Sent: Tuesday, October 22, 2019 07:03

> I need to implement support for the external authentication of a card reader within a
> TLS handshake. We did this already with PKCS11 using the C_Sign function and it is
> working fine.

> Now I need to implement the same functionality in another use case with openssl for
> TLS handshake.

> My Question is there a callback I can use or do I need to implement my own ENGINE?

OpenSSL includes a PKCS#11 engine. I've used it in the past to interact with some HSMs for cryptographic operations such as code signing. While some research and additional software may be required to get all the PKCS#11 ducks in a row, it sounds like you've already successfully used PKCS#11 with your device, so I'd expect using it with OpenSSL will be fairly straightforward.

You can find examples of using the openssl command-line utility with the PKCS#11 engine online. That's a good way to get started; it will let you confirm what settings and commands you need.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list