Our PKCS11 module development will discontinue and therefore I can`t use it
anymore, but the idea is great and very interesting.
To give more details we need a callback or similar mechanism to replace the
signature created in Certificate TLS message with our signature coming from the
card reader.
TLS handshake
......
S: Certificate Request
C: Certificate Verify --> here we want to hook in "Signature" and replace the
value!
.....
We tried already with the client callback
int (*client_cert_cb)(SSL *ssl, X509 **x509,
EVP_PKEY **pkey));
But there it is mandatory to give in the private key which we don`t have,
because that part is done by the card reader machine.
I think the caller of the callback is doing later on a rsa sign processing with
the private key and there I want to hook in!
Tobias Wolf, T-Systems
-----Ursprüngliche Nachricht-----
Von: openssl-users <openssl-users-boun...@openssl.org> Im Auftrag von Michael
Wojcik
Gesendet: Dienstag, 22. Oktober 2019 17:00
An: openssl-users@openssl.org
Betreff: RE: openssl and external card reader support in TLS
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of tobias.w...@t-systems.com
> Sent: Tuesday, October 22, 2019 07:03
> I need to implement support for the external authentication of a card
> reader within a TLS handshake. We did this already with PKCS11 using
> the C_Sign function and it is working fine.
> Now I need to implement the same functionality in another use case
> with openssl for TLS handshake.
> My Question is there a callback I can use or do I need to implement my own
> ENGINE?
OpenSSL includes a PKCS#11 engine. I've used it in the past to interact with
some HSMs for cryptographic operations such as code signing. While some
research and additional software may be required to get all the PKCS#11 ducks
in a row, it sounds like you've already successfully used PKCS#11 with your
device, so I'd expect using it with OpenSSL will be fairly straightforward.
You can find examples of using the openssl command-line utility with the
PKCS#11 engine online. That's a good way to get started; it will let you
confirm what settings and commands you need.
--
Michael Wojcik
Distinguished Engineer, Micro Focus
