From: "Alexander Kuit" <[EMAIL PROTECTED]> AKuit> As far as I understand this function, it requests the private key from the AKuit> engine. Unfortunately (but not surprisingly), the private key is inside AKuit> the smartcard and cannot be read (only selected for cryptographic AKuit> operations). So how can a client perform a successful handshake, AKuit> including sending its certificate, without providing a private key? AKuit> This is crucial for our security requirements, so any help would AKuit> be very appreciated.
Incorrect. All one really needs to do is to refer to the private key and have appropriate routines use that reference to do encryption and verification. That's what an engine does, it redirects relevant RSA operations to whatever library that handles the card (which ultimately leads to the card itself, I suppose), and creates a fake RSA key that is just a reference (by some kind of identity) to the private key on the card. The client does *not* need to actually read the bits of the private key, it just needs to use the appropriate operations on it (or the reference to it). Some of your text above seems to suggest the client needs to send the private key over to the server. I hope that wasn't what you meant, because *that* would be really bad from a security point of view. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]