Hi, I'd like to make an enhancement to engine_pkcs, so I'm sending a message to the community beforehand for feedback.
engine_pkcs does not currently provide a way to get a certificate from a PKCS#11 hard token when accessed from OpenSSL. I'd like to enhance the engine to support the OpenSSL ENGINE_load_ssl_client_cert() function, which returns among other things a x509 certificate. Since the function provides no way that I can see to specify which certificate to "load", I would do this by adding a method to the engine to set the certificate name before actually getting the certificate. The way the function would be used when interfacing with OpenSSL would be roughly as follows: // Set the certificate name (slot-id) to use for a subsequent certificate request ENGINE_ctrl_cmd(e, "CERT_ID", strlen(cert_name), cert_name, NULL, 0)); // Get the certificate from the engine ENGINE_load_ssl_client_cert(e, https_ssl, ca_dn, &cert, &key,&othercerts, NULL,NULL) // Use the certificate when establishing an SSL session SSL_CTX_use_certificate(https_ctx, cert); The model is similar to the way that engine is used for setting the PIN as follows: ENGINE_ctrl_cmd(e, "PIN", strlen(pin), pin, NULL, 0); Subsequent engine private key functions use the PIN if one set; otherwise, the user is prompted. Any feedback would be greatly appreciated. Thanks, Peter _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel