AW: openssl and external card reader support in TLS
Jan Just Keijser
janjust at nikhef.nl
Fri Oct 25 15:37:22 UTC 2019
On 23/10/19 10:11, Tobias.Wolf at t-systems.com wrote:
> Our PKCS11 module development will discontinue and therefore I can`t use it anymore, but the idea is great and very interesting.
> To give more details we need a callback or similar mechanism to replace the signature created in Certificate TLS message with our signature coming from the card reader.
> TLS handshake
> S: Certificate Request
> C: Certificate Verify --> here we want to hook in "Signature" and replace the value!
> We tried already with the client callback
> int (*client_cert_cb)(SSL *ssl, X509 **x509,
> EVP_PKEY **pkey));
> But there it is mandatory to give in the private key which we don`t have, because that part is done by the card reader machine.
> I think the caller of the callback is doing later on a rsa sign processing with the private key and there I want to hook in!
writing your own engine might be the easiest thing: the way it
currently(most likely) works, is
openssl -> engine_pkcs11 -> libp11 -> pkcs11 driver
all you'd have to do is move your pkcs11 driver code into a fork of the
engine_pkcs11 code. That code is less than 2000 lines long, so it should
be fairly straightforward.
More information about the openssl-users