openssl and external card reader support in TLS
Michael Wojcik
Michael.Wojcik at microfocus.com
Wed Oct 23 14:51:29 UTC 2019
> From: Tobias.Wolf at t-systems.com [mailto:Tobias.Wolf at t-systems.com]
> Sent: Wednesday, October 23, 2019 02:11
>
> Our PKCS11 module development will discontinue and therefore I can`t use it
> anymore, but the idea is great and very interesting.
> To give more details we need a callback or similar mechanism to replace the
> signature created in Certificate TLS message with our signature coming from
> the card reader.
For OpenSSL 1, the Engine mechanism is the way to do this. If you're discontinuing your PKCS#11 interface, then I think the only option is to write a custom engine.
For OpenSSL 3, I understand there's a new Provider mechanism for this purpose, but I haven't investigated it.
--
Michael Wojcik
Distinguished Engineer, Micro Focus
More information about the openssl-users
mailing list