Someone asked about getting the s_client app working to test the opensc engine
for openssl 0.9.7b. From what I can tell, s_client doesn't accept a -keyform
argument and assumes that the key is in a file. Any objections or
recommendations if I attempt to change that as below? The only real
headache will be getting the engine function references into the right place.
Can I use the SSL_CTX structure that's already being passed in for that?
Also, is there a way to load certificates through the engine interface?
Thanks,
Kevin Stefanik
---------- Forwarded Message ----------
Subject: Re: [OpenSC-devel] opensc and https client authentication
Date: Wednesday 23 July 2003 06:41 pm
From: Kevin Stefanik <[EMAIL PROTECTED]>
To: David Mattes <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Okay, here goes:
The s_client app is currently hardwired to expect file names. In addition, I
don't see how the ssl engine structure provides for getting certificates from
the key.
The changes to s_client app to take a -keyform switch and load the key from
the opensc engine should be doable.. it does require changing the
set_cert_stuff function (not widely used) to accept a flag indicating key
type (PEM file, engine, etc.) and changing the SSL_CTX_use_Privatekey_file to
look at something other than a file (the flag is already being handed in to
it). Both of these appear do-able.
The certificate would then need to be dumped to a file and referenced that
way, though. Unless I'm missing some path through the engine interface that
would enable the loading of a certificate via the engine? Very likely!
I'll try to get a bit more info from the openssl folks.
Kevin
On Wednesday 23 July 2003 04:19 pm, David Mattes wrote:
> hi,
>
> i'm trying to use opensc and openssl for https (secure web) client
> authentication. i'm trying to test the connection using openssl's
> s_client command. i can do other openssl tasks with the card (req) and
> freeswan client authentication (which reads the cert). i have an opensc
> smartcard (cryptoflex 16k) with the pkcs15 structure on it:
>
> X.509 Certificate [Certificate]
> Flags : 2
> Authority: no
> Path : 3F0050155501
> ID : 45
>
> Private RSA Key [Private Key]
> Com. Flags : D
> Usage : [0x4], sign
> Access Flags: [0x0]
> ModLength : 1024
> Key ref : 0
> Native : yes
> Path : 3F0050154B010012
> Auth ID : 01
> ID : 45
>
> I try to start the s_client connection as follows:
>
> OpenSSL> engine dynamic -pre
> SO_PATH:/usr/local/lib/opensc/engine_opensc.so -pre ID:opensc -pre
> LIST_ADD:1 -pre LOAD
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/local/lib/opensc/engine_opensc.so
> [Success]: ID:opensc
> [Success]: LIST_ADD:1
> [Success]: LOAD
> Loaded: (opensc) opensc engine
> OpenSSL> s_client -engine opensc -connect localhost:443 -cert 45 -key 45
> -state -debug
> engine "opensc" set.
> unable to get certificate from '45'
> 16422:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:259:fopen('45','r')
> 16422:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
> 16422:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
> lib:ssl_rsa.c:513:
>
>
> can anybody tell me why the certificate can't be retrieved?
>
> thanks,
> david
>
> _______________________________________________
> OpenSC-devel mailing list
> [EMAIL PROTECTED]
> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
-------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]