On Mon, Dec 5, 2011 at 12:53 PM, Mattes, David <david.mat...@boeing.com> wrote: > Hi Peter, > > I would love to see this functionality in the engine_pkcs11. We have > applications that would benefit from this addition.
I should have a patch ready for submission in a couple of days. Not much needs to be changed since the functionality for getting a certificate already exists; it's just not exposed publicly. Regards, Peter > > Thanks! > David > ---------------------------------------------------------------------- > David Mattes The Boeing Company > PO Box 3707 MC 7L-40 Boeing Research & Technology > Seattle, WA 98124-2207 Information & Network Technology > 425-373-2886 Autonomous & NetEnabled Integration > 425-213-4691 (cell) > 425-373-2960 (fax) david.mat...@boeing.com > > > >> -----Original Message----- >> From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc- >> devel-boun...@lists.opensc-project.org] On Behalf Of Peter Ordonez >> Sent: Thursday, December 01, 2011 1:18 PM >> To: opensc-devel@lists.opensc-project.org >> Subject: [opensc-devel] engine_pkcs11 enhancement >> >> Hi, >> >> I'd like to make an enhancement to engine_pkcs, so I'm sending a >> message to the community beforehand for feedback. >> >> engine_pkcs does not currently provide a way to get a certificate from >> a PKCS#11 hard token when accessed from OpenSSL. I'd like to enhance >> the engine to support the OpenSSL ENGINE_load_ssl_client_cert() >> function, which returns among other things a x509 certificate. Since >> the function provides no way that I can see to specify which >> certificate to "load", I would do this by adding a method to the >> engine to set the certificate name before actually getting the >> certificate. The way the function would be used when interfacing with >> OpenSSL would be roughly as follows: >> >> // Set the certificate name (slot-id) to use for a subsequent >> certificate request >> ENGINE_ctrl_cmd(e, "CERT_ID", strlen(cert_name), cert_name, >> NULL, 0)); >> >> // Get the certificate from the engine >> ENGINE_load_ssl_client_cert(e, https_ssl, ca_dn, &cert, >> &key,&othercerts, NULL,NULL) >> >> // Use the certificate when establishing an SSL session >> SSL_CTX_use_certificate(https_ctx, cert); >> >> >> The model is similar to the way that engine is used for setting the >> PIN as follows: >> >> ENGINE_ctrl_cmd(e, "PIN", strlen(pin), pin, NULL, 0); >> >> Subsequent engine private key functions use the PIN if one set; >> otherwise, the user is prompted. >> >> Any feedback would be greatly appreciated. >> >> Thanks, >> Peter >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
