Richard Levitte - VMS Whacker wrote:
In message <[EMAIL PROTECTED]> on Fri, 01 Apr 2005 10:14:25 -0600, "Douglas E. Engert" <[EMAIL PROTECTED]> said:
deengert> The OpenSSL ENGINE facilities had ENGINE_load_private_key,
deengert> and ENGINE_load_public_key, but do not have ENGINE_load_certificate.
deengert> deengert> When the ENGINE is used by an application, such as the
deengert> Heimdal PKINIT code to use a smartcard to get a Kerberos
deengert> ticket the application does not have easy access to the
deengert> certificate stored on the smartcard.
In 0.9.8-dev, there's a potentially better mechanism that I started a while ago (more than a year), called a STORE, which also comes with ENGINE support. However, because of lack of funding, I haven't found the time to finish up (it's no small project). I hope to get the opportunity to feel financially safe enough to be able to finish that module. It would make it possible to retrieve (or retreive a handle to) quite a number of different types of data from any store, smart cards, SQLite databasees, LDAP repositories and whatnot.
I could add ENGINE_load_certificate(), but that would (hopefully) just be a temporary solution before the grander solution (yes, I'm boasting it :-)) is firmly in place.
STORE sound interesting.
deengert> The Heimdal code needs the certificate, as well as the key. deengert> Currently the certificate must be loaded off the card deengert> in a separate step, then passed in as a file.
Hmm, I imagine that ENGINE_load_certificate() would still be a separate step. I hope that's not a problem...
Not really, as the OpenSC engine-pkcs11.so "opens" the card once, and keeps it open to fetch the certificate then later sign the hash etc. The ENGINE_load_certificate would be a big step forward.
The overhead I am seeing is having to basicly "open" the card twice with two seperate programs, pkcs15-tool and kinit. In my case the pkcs15 emulation code has to test the card, and read the certificate twice. This extra overhead may be 5 to 20 seconds, which adds a lot to login. Other cards may have different overhead.
Eventially the code should be called from a heimdal PKINIT PAM routine, so having it all together would make it much easier.
Hopefully ENGINE_load_certificate is a small project, and I can help.
Cheers, Richard
----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details.
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
