AW: openssl and external card reader support in TLS

Tobias.Wolf at Tobias.Wolf at
Wed Oct 23 08:11:12 UTC 2019

Our PKCS11 module development will discontinue and therefore I can`t use it anymore, but the idea is great and very interesting. 
To give more details we need a callback or similar mechanism to replace the signature created in Certificate TLS message with our signature coming from the card reader.

TLS handshake
S: Certificate Request
C: Certificate Verify --> here we want to hook in "Signature" and replace the value!

We tried already with the client callback

int (*client_cert_cb)(SSL *ssl, X509 **x509,
                                                       EVP_PKEY **pkey));

But there it is mandatory to give in the private key which we don`t have, because that part is done by the card reader machine. 
I think the caller of the callback is doing later on a rsa sign processing with the private key and there I want to hook in!

Tobias Wolf, T-Systems

-----Ursprüngliche Nachricht-----
Von: openssl-users <openssl-users-bounces at> Im Auftrag von Michael Wojcik
Gesendet: Dienstag, 22. Oktober 2019 17:00
An: openssl-users at
Betreff: RE: openssl and external card reader support in TLS

> From: openssl-users [mailto:openssl-users-bounces at] On 
> Behalf Of Tobias.Wolf at
> Sent: Tuesday, October 22, 2019 07:03

> I need to implement support for the external authentication of a card 
> reader within a TLS handshake. We did this already with PKCS11 using 
> the C_Sign function and it is working fine.

> Now I need to implement the same functionality in another use case 
> with openssl for TLS handshake.

> My Question is there a callback I can use or do I need to implement my own ENGINE?

OpenSSL includes a PKCS#11 engine. I've used it in the past to interact with some HSMs for cryptographic operations such as code signing. While some research and additional software may be required to get all the PKCS#11 ducks in a row, it sounds like you've already successfully used PKCS#11 with your device, so I'd expect using it with OpenSSL will be fairly straightforward.

You can find examples of using the openssl command-line utility with the PKCS#11 engine online. That's a good way to get started; it will let you confirm what settings and commands you need.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list