<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 14/12/20 08:08, George wrote:<br>
</div>
<blockquote type="cite"
cite="mid:292d3b25-9197-4977-a406-0a19abc15a0d@gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
Hi,<br>
<br>
I'm new to OpenSSL and am trying to set up mutual
authentication in a client. The client is setup with OpenSSL
1.0.2u. and the client's certificate + private key is stored on a
Smart Card. When the client receives a certificate request from
the server during the mutual authentication handshake, the OpenSSL
<i>client_cert_cb</i> callback function is automatically invoked.
The problem is that <i>client_cert_cb</i> requires a private key.
Unfortunately, it is not possible to get a private key from a
Smart Card. Is there a way to send a certificate to the server
without needing the private key?<br>
<br>
I'm setting up the callback function with:<br>
<br>
<font size="+1" face="monospace">void
SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int
(*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));</font><font
size="+1"><br>
</font><br>
<br>
Here is a sample of what my code looks like when I set this up:<br>
<br>
<font size="+1" face="monospace">SSL_CTX_set_client_cert_cb(context,
<b>openSSLClientAuthenticationCallBack</b>);<br>
<br>
int <b>openSSLClientAuthenticationCallBack</b>(SSL *ssl, X509
**x509, EVP_PKEY **pkey)<br>
{<br>
. . .<br>
}<br>
</font><br>
<br>
I can access the Smart Card using the PKCS#11 interface and I'm
able to get the certificate and sign it, etc. However, I cannot
get the actual private key from the Smart Card.<br>
<br>
Does anyone know how I can get around this problem?<br>
<br>
</blockquote>
<br>
to use a pkcs#11 smartcard you normally use the OpenSSL pkcs11
engine ; you then do something like:<br>
<br>
engine_name = "pkcs11";<br>
ENGINE_register_all_complete();<br>
pkey_engine = ENGINE_by_id( "dynamic" );<br>
if (pkey_engine)<br>
{<br>
if (!ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH",
engine_name, 0)<br>
|| !ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL,
0))<br>
{<br>
warn( "EAP-TLS: Error loading dynamic engine '%s'",
engine_name );<br>
log_ssl_errors();<br>
ENGINE_free(e);<br>
pkey_engine = NULL;<br>
}<br>
}<br>
} <br>
<br>
if (pkey_engine)<br>
{ <br>
if(!ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL))<br>
}<br>
pkey_engine = eaptls_ssl_load_engine( "pkcs11" );<br>
pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier,
transfer_pin, &cb_data);<br>
SSL_CTX_use_PrivateKey(ctx, pkey);<br>
<br>
where "transfer_pin" is a callback UI function to query the user for
the pkcs11 device password.<br>
<br>
More detailed code can be found in my pppd EAP-TLS patch, file
eap-tls.c at<br>
<a class="moz-txt-link-freetext" href="https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c">https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c</a><br>
<br>
(and search for pkey_engine)<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</body>
</html>