Hey fellows,
I want your help, to implement an integration with SafeNet HSM Hardware. I
know OpenSSL, but never used with PKCS#11.
I have a HTTPS server and wonders how do I inform the certificate,
privatekey and passphrase for the HTTPS handshake using PKCS#11.
How to change my functions load_key and load_cert to use PKCS#11 ?? Any Good
Sample ?? I Try OPENSC samples, but ..
I am posting my code that is based on the application OpenSSL s_client
command line:
Or How to make s_client use my HSM, connecting in slot, informing PIN, etc
...
obs: i am using openssl-0.9.8g
Bool Initialize(Bool AInitVars)
{
EVP_PKEY* key = NULL;
X509* cert = NULL;
....
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
....
key = load_key(sslErr, nOptions.KeyFiles[2], nOptions.PassPhrase); //
???? HSM ????
if (!key)
{
ERR_print_errors(sslErr);
bRet = False;
goto end;
}
cert = load_cert(sslErr, nOptions.CertificateFiles[2],
nOptions.PassPhrase); // ???? HSM ????
if (!cert)
{
ERR_print_errors(sslErr);
bRet = False;
goto end;
}
sslCtx=SSL_CTX_new(sslMeth);
....
SSL_CTX_set_verify(sslCtx,nServerVerify,verify_callback_https);
if (!set_cert_key_stuff(sslCtx,cert,key))
{
bRet = False;
goto end;
}
if
((!SSL_CTX_load_verify_locations(sslCtx,nOptions.CertificateFiles[2],NULL))
||
(!SSL_CTX_set_default_verify_paths(sslCtx)))
{
/* BIO_printf(bio_err,"error setting default verify locations\n"); */
ERR_print_errors(sslErr);
/* goto end; */
}
ssl = SSL_new(sslCtx);
sslBio = BIO_new_socket(this->Handle(),BIO_NOCLOSE);
SSL_set_bio(ssl, sslBio, sslBio);
....
}
EVP_PKEY* load_key(BIO *err, const char *file /*PEM FILE*/, const char
*pass)
{
BIO *key=NULL;
EVP_PKEY *pkey=NULL;
PW_CB_DATA cb_data;
cb_data.password = pass;
cb_data.prompt_info = file;
key=BIO_new(BIO_s_file());
if (key == NULL) {
ERR_print_errors(err);
goto end;
}
if (file == NULL) {
setvbuf(stdin, NULL, _IONBF, 0);
BIO_set_fp(key,stdin,BIO_NOCLOSE);
}
else {
if (BIO_read_filename(key,file) <= 0)
{
BIO_printf(err, "Error opening client private key file %s\n",
file);
ERR_print_errors(err);
goto end;
}
// PEM FORMAT - DEFAULT
pkey=PEM_read_bio_PrivateKey(key, NULL, (pem_password_cb
*)password_callback, &cb_data);
}
end:
if (key != NULL)
BIO_free(key);
if (pkey == NULL)
msprintf("unable to load client private key file\n");
return(pkey);
}
X509* load_cert(BIO *err, const char *file, const char *pass)
{
BUF_MEM *buf=NULL;
X509 *x=NULL;
BIO *cert=NULL;
if ((cert=BIO_new(BIO_s_file())) == NULL){
ERR_print_errors(err);
goto end;
}
if (file == NULL){
setvbuf(stdin, NULL, _IONBF, 0);
BIO_set_fp(cert,stdin,BIO_NOCLOSE);
}
else{
if (BIO_read_filename(cert,file) <= 0)
{
BIO_printf(err, "Error opening client certificate file %s\n",
file);
ERR_print_errors(err);
goto end;
}
}
// PEM FORMAT - DEFAULT
x=PEM_read_bio_X509_AUX(cert,NULL, (pem_password_cb *)password_callback,
NULL);
end:
if (x == NULL){
BIO_printf(err,"unable to load certificate\n");
ERR_print_errors(err);
}
if (cert != NULL)
BIO_free(cert);
if (buf != NULL)
BUF_MEM_free(buf);
return(x);
}
Thanks in Advanced
Ricardo.
