AW: openssl and external card reader support in TLS

Jan Just Keijser janjust at
Fri Oct 25 15:37:22 UTC 2019

Hi Tobias,

On 23/10/19 10:11, Tobias.Wolf at wrote:
> Our PKCS11 module development will discontinue and therefore I can`t use it anymore, but the idea is great and very interesting.
> To give more details we need a callback or similar mechanism to replace the signature created in Certificate TLS message with our signature coming from the card reader.
> TLS handshake
> ......
> S: Certificate Request
> C: Certificate Verify --> here we want to hook in "Signature" and replace the value!
> .....
> We tried already with the client callback
> int (*client_cert_cb)(SSL *ssl, X509 **x509,
>                                                         EVP_PKEY **pkey));
> But there it is mandatory to give in the private key which we don`t have, because that part is done by the card reader machine.
> I think the caller of the callback is doing later on a rsa sign processing with the private key and there I want to hook in!

writing your own engine might be the easiest thing: the way it 
currently(most likely) works, is
   openssl -> engine_pkcs11 -> libp11 -> pkcs11 driver

all you'd have to do is move your pkcs11 driver code into a fork of the 
engine_pkcs11 code. That code is less than 2000 lines long, so it should 
be fairly straightforward.



More information about the openssl-users mailing list