[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OpenSC-devel] Using OpenSSL ENGINE to get Certificate from Smartcard
- To: Kevin Stefanik <kstef@mtppi.org>
- Subject: Re: [OpenSC-devel] Using OpenSSL ENGINE to get Certificate from Smartcard
- From: "Douglas E. Engert" <deengert@anl.gov>
- Date: Thu, 07 Apr 2005 10:44:23 -0500
- Cc: opensc-devel@opensc.org, heimdal-discuss@sics.se
- In-Reply-To: <200504071109.26376.kstef@mtppi.org>
- References: <424D7C4F.6000607@anl.gov> <424DA11A.9020807@anl.gov> <4254599B.6000003@anl.gov> <200504071109.26376.kstef@mtppi.org>
- Sender: owner-heimdal-discuss@sics.se
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803
Kevin Stefanik wrote:
> On Wednesday 06 April 2005 05:50 pm, Douglas E. Engert wrote:
>
>>In response to my own request, I wrote a SSL engine ctrl routine
>>that can be used to load a certificate.
>>I have this working with the Heimdal PKINIT code.
>
>
> Great! Do you think this might get integrated into the main PKINIT?
I would hope so, but I would expect that they would want to see
that OpenSC has commited their part first and finalized the
parameters.
Note the way the patch is today, it assumes the certificate can be
read without providing a pin. If that is a problem, code could
be added, as it is in the pkcs11_load_key or it could be assumed
that the applicaiton would have to call the ENGINE_load_private_key
first.
>
>
>>The code uses the same parsing as used for the pkcs11_load_key.
>>They could even be combined, and this mod could be much smaller.
>>
>
>
> That definitely needs some clean-up, but that shouldn't hold up this patch.
I agree, the parsing could be in a seperate function, which would eliminate
90% of the mod. I was trying to keep the patch simple, and not touch
any other code if possible, so copied I copied the parsing.
>
>
>>The applicaiton, can request a certificate be loaded from slot_<n>-id_<x>
>>by something like:
>>
>> struct {
>> const char * cert_id;
>> X509 * cert;
>> } parms;
>>
>> parms.cert_id = "slot_0-id_1";
>> parms.cert = NULL;
>> ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
>> if (parms.cert) ...
>>
>>This does not require any OpenSSL modifications, but a
>>ENGINE_load_certifcate would be much more general.
>>
>>Please have a look at this and consider accepting this modification.
>
>
> It looks fine to me. A little c program that could be used for regression
> tests, as per your example above, would be a nice addition, though.
OK, I will look a this today.
>
> Maybe Nils can check it in?
>
> Thanks,
> Kevin
>
> _______________________________________________
> OpenSC-devel mailing list
> OpenSC-devel@opensc.org
> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444