Hey fellows, I want your help, to implement an integration with SafeNet HSM Hardware. I know OpenSSL, but never used with PKCS#11.
I have a HTTPS server and wonders how do I inform the certificate, privatekey and passphrase for the HTTPS handshake using PKCS#11. How to change my functions load_key and load_cert to use PKCS#11 ?? Any Good Sample ?? I Try OPENSC samples, but .. I am posting my code that is based on the application OpenSSL s_client command line: Or How to make s_client use my HSM, connecting in slot, informing PIN, etc ... obs: i am using openssl-0.9.8g Bool Initialize(Bool AInitVars) { EVP_PKEY* key = NULL; X509* cert = NULL; .... OpenSSL_add_ssl_algorithms(); SSL_load_error_strings(); .... key = load_key(sslErr, nOptions.KeyFiles[2], nOptions.PassPhrase); // ???? HSM ???? if (!key) { ERR_print_errors(sslErr); bRet = False; goto end; } cert = load_cert(sslErr, nOptions.CertificateFiles[2], nOptions.PassPhrase); // ???? HSM ???? if (!cert) { ERR_print_errors(sslErr); bRet = False; goto end; } sslCtx=SSL_CTX_new(sslMeth); .... SSL_CTX_set_verify(sslCtx,nServerVerify,verify_callback_https); if (!set_cert_key_stuff(sslCtx,cert,key)) { bRet = False; goto end; } if ((!SSL_CTX_load_verify_locations(sslCtx,nOptions.CertificateFiles[2],NULL)) || (!SSL_CTX_set_default_verify_paths(sslCtx))) { /* BIO_printf(bio_err,"error setting default verify locations\n"); */ ERR_print_errors(sslErr); /* goto end; */ } ssl = SSL_new(sslCtx); sslBio = BIO_new_socket(this->Handle(),BIO_NOCLOSE); SSL_set_bio(ssl, sslBio, sslBio); .... } EVP_PKEY* load_key(BIO *err, const char *file /*PEM FILE*/, const char *pass) { BIO *key=NULL; EVP_PKEY *pkey=NULL; PW_CB_DATA cb_data; cb_data.password = pass; cb_data.prompt_info = file; key=BIO_new(BIO_s_file()); if (key == NULL) { ERR_print_errors(err); goto end; } if (file == NULL) { setvbuf(stdin, NULL, _IONBF, 0); BIO_set_fp(key,stdin,BIO_NOCLOSE); } else { if (BIO_read_filename(key,file) <= 0) { BIO_printf(err, "Error opening client private key file %s\n", file); ERR_print_errors(err); goto end; } // PEM FORMAT - DEFAULT pkey=PEM_read_bio_PrivateKey(key, NULL, (pem_password_cb *)password_callback, &cb_data); } end: if (key != NULL) BIO_free(key); if (pkey == NULL) msprintf("unable to load client private key file\n"); return(pkey); } X509* load_cert(BIO *err, const char *file, const char *pass) { BUF_MEM *buf=NULL; X509 *x=NULL; BIO *cert=NULL; if ((cert=BIO_new(BIO_s_file())) == NULL){ ERR_print_errors(err); goto end; } if (file == NULL){ setvbuf(stdin, NULL, _IONBF, 0); BIO_set_fp(cert,stdin,BIO_NOCLOSE); } else{ if (BIO_read_filename(cert,file) <= 0) { BIO_printf(err, "Error opening client certificate file %s\n", file); ERR_print_errors(err); goto end; } } // PEM FORMAT - DEFAULT x=PEM_read_bio_X509_AUX(cert,NULL, (pem_password_cb *)password_callback, NULL); end: if (x == NULL){ BIO_printf(err,"unable to load certificate\n"); ERR_print_errors(err); } if (cert != NULL) BIO_free(cert); if (buf != NULL) BUF_MEM_free(buf); return(x); } Thanks in Advanced Ricardo.