Re: [opensc-devel] engine_pkcs11 enhancement
Hello, On 12/6/11 6:02 , Peter Ordonez wrote: engine_pkcs does not currently provide a way to get a certificate from a PKCS#11 hard token when accessed from OpenSSL. I'd like to enhance the engine to support the OpenSSL ENGINE_load_ssl_client_cert() function, which returns among other things a x509 certificate. Since the function provides no way that I can see to specify which certificate to load, I would do this by adding a method to the engine to set the certificate name before actually getting the certificate. The way the function would be used when interfacing with OpenSSL would be roughly as follows: Would it allow to return a list of certificates instead? If there were multiple certificates, the application would be the best to decide which one to use (the search should also be over all available slots...) I think that using a certificate should also indicate the private key to use, so that the only input from calling application would be the certificate and associated PIN code. Best, Martin -- @MartinPaljak +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] engine_pkcs11 enhancement
On Mon, Dec 5, 2011 at 12:53 PM, Mattes, David david.mat...@boeing.com wrote: Hi Peter, I would love to see this functionality in the engine_pkcs11. We have applications that would benefit from this addition. I should have a patch ready for submission in a couple of days. Not much needs to be changed since the functionality for getting a certificate already exists; it's just not exposed publicly. Regards, Peter Thanks! David -- David Mattes The Boeing Company PO Box 3707 MC 7L-40 Boeing Research Technology Seattle, WA 98124-2207 Information Network Technology 425-373-2886 Autonomous NetEnabled Integration 425-213-4691 (cell) 425-373-2960 (fax) david.mat...@boeing.com -Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc- devel-boun...@lists.opensc-project.org] On Behalf Of Peter Ordonez Sent: Thursday, December 01, 2011 1:18 PM To: opensc-devel@lists.opensc-project.org Subject: [opensc-devel] engine_pkcs11 enhancement Hi, I'd like to make an enhancement to engine_pkcs, so I'm sending a message to the community beforehand for feedback. engine_pkcs does not currently provide a way to get a certificate from a PKCS#11 hard token when accessed from OpenSSL. I'd like to enhance the engine to support the OpenSSL ENGINE_load_ssl_client_cert() function, which returns among other things a x509 certificate. Since the function provides no way that I can see to specify which certificate to load, I would do this by adding a method to the engine to set the certificate name before actually getting the certificate. The way the function would be used when interfacing with OpenSSL would be roughly as follows: // Set the certificate name (slot-id) to use for a subsequent certificate request ENGINE_ctrl_cmd(e, CERT_ID, strlen(cert_name), cert_name, NULL, 0)); // Get the certificate from the engine ENGINE_load_ssl_client_cert(e, https_ssl, ca_dn, cert, key,othercerts, NULL,NULL) // Use the certificate when establishing an SSL session SSL_CTX_use_certificate(https_ctx, cert); The model is similar to the way that engine is used for setting the PIN as follows: ENGINE_ctrl_cmd(e, PIN, strlen(pin), pin, NULL, 0); Subsequent engine private key functions use the PIN if one set; otherwise, the user is prompted. Any feedback would be greatly appreciated. Thanks, Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] engine_pkcs11 enhancement
Hi Peter, I would love to see this functionality in the engine_pkcs11. We have applications that would benefit from this addition. Thanks! David -- David Mattes The Boeing Company PO Box 3707 MC 7L-40 Boeing Research Technology Seattle, WA 98124-2207Information Network Technology 425-373-2886 Autonomous NetEnabled Integration 425-213-4691 (cell) 425-373-2960 (fax) david.mat...@boeing.com -Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc- devel-boun...@lists.opensc-project.org] On Behalf Of Peter Ordonez Sent: Thursday, December 01, 2011 1:18 PM To: opensc-devel@lists.opensc-project.org Subject: [opensc-devel] engine_pkcs11 enhancement Hi, I'd like to make an enhancement to engine_pkcs, so I'm sending a message to the community beforehand for feedback. engine_pkcs does not currently provide a way to get a certificate from a PKCS#11 hard token when accessed from OpenSSL. I'd like to enhance the engine to support the OpenSSL ENGINE_load_ssl_client_cert() function, which returns among other things a x509 certificate. Since the function provides no way that I can see to specify which certificate to load, I would do this by adding a method to the engine to set the certificate name before actually getting the certificate. The way the function would be used when interfacing with OpenSSL would be roughly as follows: // Set the certificate name (slot-id) to use for a subsequent certificate request ENGINE_ctrl_cmd(e, CERT_ID, strlen(cert_name), cert_name, NULL, 0)); // Get the certificate from the engine ENGINE_load_ssl_client_cert(e, https_ssl, ca_dn, cert, key,othercerts, NULL,NULL) // Use the certificate when establishing an SSL session SSL_CTX_use_certificate(https_ctx, cert); The model is similar to the way that engine is used for setting the PIN as follows: ENGINE_ctrl_cmd(e, PIN, strlen(pin), pin, NULL, 0); Subsequent engine private key functions use the PIN if one set; otherwise, the user is prompted. Any feedback would be greatly appreciated. Thanks, Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] engine_pkcs11 enhancement
Hi, I'd like to make an enhancement to engine_pkcs, so I'm sending a message to the community beforehand for feedback. engine_pkcs does not currently provide a way to get a certificate from a PKCS#11 hard token when accessed from OpenSSL. I'd like to enhance the engine to support the OpenSSL ENGINE_load_ssl_client_cert() function, which returns among other things a x509 certificate. Since the function provides no way that I can see to specify which certificate to load, I would do this by adding a method to the engine to set the certificate name before actually getting the certificate. The way the function would be used when interfacing with OpenSSL would be roughly as follows: // Set the certificate name (slot-id) to use for a subsequent certificate request ENGINE_ctrl_cmd(e, CERT_ID, strlen(cert_name), cert_name, NULL, 0)); // Get the certificate from the engine ENGINE_load_ssl_client_cert(e, https_ssl, ca_dn, cert, key,othercerts, NULL,NULL) // Use the certificate when establishing an SSL session SSL_CTX_use_certificate(https_ctx, cert); The model is similar to the way that engine is used for setting the PIN as follows: ENGINE_ctrl_cmd(e, PIN, strlen(pin), pin, NULL, 0); Subsequent engine private key functions use the PIN if one set; otherwise, the user is prompted. Any feedback would be greatly appreciated. Thanks, Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel