> From: tobias.w...@t-systems.com [mailto:tobias.w...@t-systems.com] > Sent: Wednesday, October 23, 2019 02:11 > > Our PKCS11 module development will discontinue and therefore I can`t use it > anymore, but the idea is great and very interesting. > To give more details we need a callback or similar mechanism to replace the > signature created in Certificate TLS message with our signature coming from > the card reader.
For OpenSSL 1, the Engine mechanism is the way to do this. If you're discontinuing your PKCS#11 interface, then I think the only option is to write a custom engine. For OpenSSL 3, I understand there's a new Provider mechanism for this purpose, but I haven't investigated it. -- Michael Wojcik Distinguished Engineer, Micro Focus
