Hi Peter, I would love to see this functionality in the engine_pkcs11. We have applications that would benefit from this addition.
Thanks! David ---------------------------------------------------------------------- David Mattes The Boeing Company PO Box 3707 MC 7L-40 Boeing Research & Technology Seattle, WA 98124-2207 Information & Network Technology 425-373-2886 Autonomous & NetEnabled Integration 425-213-4691 (cell) 425-373-2960 (fax) david.mat...@boeing.com > -----Original Message----- > From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc- > devel-boun...@lists.opensc-project.org] On Behalf Of Peter Ordonez > Sent: Thursday, December 01, 2011 1:18 PM > To: opensc-devel@lists.opensc-project.org > Subject: [opensc-devel] engine_pkcs11 enhancement > > Hi, > > I'd like to make an enhancement to engine_pkcs, so I'm sending a > message to the community beforehand for feedback. > > engine_pkcs does not currently provide a way to get a certificate from > a PKCS#11 hard token when accessed from OpenSSL. I'd like to enhance > the engine to support the OpenSSL ENGINE_load_ssl_client_cert() > function, which returns among other things a x509 certificate. Since > the function provides no way that I can see to specify which > certificate to "load", I would do this by adding a method to the > engine to set the certificate name before actually getting the > certificate. The way the function would be used when interfacing with > OpenSSL would be roughly as follows: > > // Set the certificate name (slot-id) to use for a subsequent > certificate request > ENGINE_ctrl_cmd(e, "CERT_ID", strlen(cert_name), cert_name, > NULL, 0)); > > // Get the certificate from the engine > ENGINE_load_ssl_client_cert(e, https_ssl, ca_dn, &cert, > &key,&othercerts, NULL,NULL) > > // Use the certificate when establishing an SSL session > SSL_CTX_use_certificate(https_ctx, cert); > > > The model is similar to the way that engine is used for setting the > PIN as follows: > > ENGINE_ctrl_cmd(e, "PIN", strlen(pin), pin, NULL, 0); > > Subsequent engine private key functions use the PIN if one set; > otherwise, the user is prompted. > > Any feedback would be greatly appreciated. > > Thanks, > Peter > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
