RE: how to setup SSL_CTX to use private keys from smartcards.. ??

Wed, 14 Nov 2001 01:53:34 -0800 

Aslam,

I had the same problem. I solved it in the following way: 
I got the certificate from CryptoAPI and created a X509 struct from it. For
the privatekey, I created a RSA struct and filled it with as much data as I
could from CryptoAPI. I couldn't get the private key, of course, so I got
only the key length... I used the app_data field of the RSA struct to point
to a struct that contains extra info about the key (e.g. an indication that
this is a CryptoAPI key, and the key's HCRYPTPROV and HCRYPTKEY). After
that, the key should be wrapped as a EVP_PKEY.
In order for the extra information to be actually used, I created a new
RSA_METHOD with functions that call CryptoAPI to do the work. I had to
implement the rsa_sign function too, in order to be able to call the
CryptoAPI SignHash function with CALG_SSL3_SHAMD5.

So when OpenSSL wants to use the private key associated with a connection,
my rsa_method functions are being called, they determine if the key is an
OpenSSL key (and if so - the original rsa_meth is used) or a CryptoAPI key
(and then CryptoAPI is used with the extra info saved in the struct pointed
by the app_data field).

This works for RSA keys only (As far as I know there is no EVP_PKEY_METHOD
so you can't hook your code to the EVP level), but you can do the same for
DSA keys too, if your application uses them.

Home this helps.

        Tal


> -----Original Message-----
> From: Aslam [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, November 13, 2001 6:50 PM
> To:   '[EMAIL PROTECTED]'
> Subject:      how to setup SSL_CTX to use private keys from smartcards..
> ??
> 
> Hi,
>  
> I'm using openssl-0.9.6b for performing ssl/tls client and server stuff...
> I'm able to do it when I export my private keys in some file (PEM or pkcs8
> format) and call appropriate API for SSL_CTX to set the private key. All
> this thing work good.. But how to setup the SSL_CTX to use private keys
> from some smartcard or say from key container in microsost crypto stuff ??
>  
> Thanks
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to