Alexander Kuit wrote: > > On 12.12.2001 11:12:35 Vadim Fedukovich wrote: > > >On Wed, 12 Dec 2001, Alexander Kuit wrote: > > > >> > >> >> I'm using the engine version to let the client do rsa private encryption > >> >> by a smartcard. This means of course that the private key is hidden > >> >> inside the card. However, during debugging SSL_connect() I > >> >> discovered that a client certificate is only sent to the server if > >> >> a private key is set (e.g. by SSL_CTX_use_PrivateKey).
> >> >look for ENGINE_load_private_key(...) in engine.h. > >> > >> As far as I understand this function, it requests the private key from the > >> engine. Unfortunately (but not surprisingly), the private key is inside > >> the smartcard and cannot be read (only selected for cryptographic > >> operations). So how can a client perform a successful handshake, > >> including sending its certificate, without providing a private key? > >> This is crucial for our security requirements, so any help would > >> be very appreciated. > > > >Short answer is your card should be capable of doing "MD5+SHA1" type > >of signature and this function should be available as "rsa_sign" > >member of ENGINE structure. RSA_FLAG_SIGN_VER should be set to route > >signing operation to the card. This signing will be requested while > >ssl3_send_client_verify(). > There seems to be no way around that, which means that I have to provide > a private key, even if I don't have one (it's in the card). But you have an EVP_PKEY. > I now believe I understand that's what ENGINE_load_private_key() is for > (please correct me if I'm still wrong). If I'm right with that, then how > do I generate a "dummy" private key, without having to fill in the bits > of the rsa structure myself ? Especially that does ENGINE_load_private_key(...). You get an handle to an private key (filled with public data and some other data that the ENGINE needs to access its internal private key. You call SSL_CTX_use_PrivateKey() with this EVP_PKEY returned from the ENGINE... Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
smime.p7s
Description: S/MIME Cryptographic Signature