private key not available for client_cert_cb

George whippet0 at gmail.com
Mon Dec 14 16:35:37 UTC 2020


Hi Michael,

    I see what you mean. So once I have everything setup, i use the 
following to get the private key:
EVP_PKEY *pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, 
transfer_pin, &cb_data);

Will pkey actually contain the private key from the smart card? I 
thought it was not possible to get a private key from a smart card?

Once I have pkey, do I simply use it within the /client_cert_cb/ 
callback function?


Thanks,
George


On 2020-12-14 10:58 a.m., Michael Wojcik wrote:
>> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of George
>> Sent: Monday, 14 December, 2020 08:15
>>    Thanks for your response. It looks like I don't already have the PPP and PPPD.
> You don't need PPP to use a smartcard or other PKCS#11 device. Jan just mentioned the source as a exemplar of the interactions your code will need to have with OpenSSL.
>
>> Are there any other ways to get the Smart Card to work without needing to
>> install additional software?
> Probably not.
>
> OpenSSL's PKCS#11 Engine implements the PKCS#11 API. That API needs a way to talk to the particular PKCS#11-compatible hardware you're using. That means it needs a driver, and generally some configuration as well.
>
> It's been a few years since I last played around with this - I got OpenSSL working with a NitroKey as part of a code-signing spike - but you'll need to investigate PKCS#11 support for your particular device. There are Open Source projects such as OpenSC which may give you part or all of what you need to get OpenSSL's PKCS#11 Engine working with your hardware.
>
> When I did it, it wasn't trivial. I spent a couple of days on investigation and experimenting before I got anything working, and a couple more days making sure I understood the entire process and documenting procedures that worked consistently. (With some applications I had persistent problems such as Windows insisting on prompting for the device PIN instead of letting me supply it programmatically, but I think that was only when using Microsoft APIs rather than going through OpenSSL.)
>
> If the client certificate uses a public key that corresponds to a private key on the smartcard, though, that's what you'll have to do. You can't use a certificate as a proof of identity without the corresponding private key. (Some HSMs and other crypto devices have support for exporting private keys, often as multiple shares, for backup and cloning purposes. Using that to get the private key for direct use defeats the whole purpose of an HSM, of course, so that shouldn't be used to bypass the card.)
>
> --
> Michael Wojcik

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201214/80bc4b42/attachment.html>


More information about the openssl-users mailing list