From: "Alexander Kuit" <[EMAIL PROTECTED]>
AKuit> As far as I understand this function, it requests the private key from the
AKuit> engine. Unfortunately (but not surprisingly), the private key is inside
AKuit> the smartcard and cannot be read (only selected for cryptographic
AKuit> operations). So how can a client perform a successful handshake,
AKuit> including sending its certificate, without providing a private key?
AKuit> This is crucial for our security requirements, so any help would
AKuit> be very appreciated.
Incorrect. All one really needs to do is to refer to the private key
and have appropriate routines use that reference to do encryption and
verification. That's what an engine does, it redirects relevant RSA
operations to whatever library that handles the card (which ultimately
leads to the card itself, I suppose), and creates a fake RSA key that
is just a reference (by some kind of identity) to the private key on
the card.
The client does *not* need to actually read the bits of the private
key, it just needs to use the appropriate operations on it (or the
reference to it).
Some of your text above seems to suggest the client needs to send the
private key over to the server. I hope that wasn't what you meant,
because *that* would be really bad from a security point of view.
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-733-72 88 11
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, GemPlus: http://www.gemplus.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
