On 3/11/2012 8:51 PM, OpenSC wrote: > #429: obtain certificate or private key using slot id and an index > ----------------------------+---------------------------- > Reporter: BevanCollins | Owner: opensc-devel@… > Type: enhancement | Status: new > Priority: normal | Milestone: > Component: engine_pkcs11 | Version: > Severity: normal | Keywords: > Blocked By: | Blocking: > ----------------------------+---------------------------- > LOAD_CERT_CTRL supports the following formats to specify slot and > certificate: > <id>,<slot>:<id>, id_<id>, slot_<slot>-id_<id>, label_<label>, > slot_<slot>-label_<label> > where<slot> is the slot number as normal integer > and<id> is the id number as hex string. > and<label> is the textual key label string. > > I need to be able to obtain all certificates loaded on a token without > prior knowledge of the certificates that are stored on the token.
AFAIK the OpenSSL engine code can only load one certificate (or key) at a time. It is designed to load one certificate or key and can pass in a clue to the engine, i.e. the slot_<slot>-id_<id> string. OPenSSL engine is not designed to load all certificates and therefore engine_pkcs11 does not have the operation you request multiple certificates. pkcs15-tool -c and pkcs11-tool -O can read or list all the objects on a card. You could use these programs in scripts, or use the code from these programs in your own programs to get the slot and id of all the certificates then use the OpenSSL engine to retrieve these one at a time. You could use a ENGINE_ctrl_cmd to a engine_pkcs11 function added to the pkcs11_cmd_defns in hw_pkcs11.c to enumerate the certificates, and return their IDs. This would only be available if you write code to make the calls, you could not just use it in scripts that call the OpenSLL provided apps. An approach that would not work would be to define a id_INDEX.<index> that could be put into engine_pkcs11.c around line 490, that would return the <index>th cert from the call at line 480 to PKCS11_enumerated_certs. This would return the next cert, but not its id or its label. The main problem with this is you will need to use the matching key and since the enumeration of the keys may not match the enumeration of the certs (as not every cert has to have a key and there is no requirement that the enumerations match.) You still need the id or label of the key which you program would not do not have. > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
