[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using OpenSSL ENGINE to get Certificate from Smartcard



The OpenSSL ENGINE facilities had ENGINE_load_private_key,
and ENGINE_load_public_key, but do not have ENGINE_load_certificate.

When the ENGINE is used by an application, such as the
Heimdal PKINIT code to use a smartcard to get a Kerberos
ticket the application does not have easy access to the
certificate stored on the smartcard.

The Heimdal code needs the certificate, as well as the key.
Currently the certificate must be loaded off the card
in a separate step, then passed in as a file.

Is there any chance that:

  (1) OpenSSL would implement ENGINE_load_certificate

  (2) OpenSC would use it in their sslengine/hw_pkcs11.c

  (3) Heimdal would use it to load the certificate from the
      smartcard?

Even if (1) is not done,  It looks possible to use the
ENGINE_ctrl to do this if OpenSC would add a routine to
access the certificate and the Heimdal code would call it.

I am in the process of getting Heimdal on Linux to use OpenSC
to access a GemSAFE card, which was initialized for use
for Windows login to za domain.

So far its working, but the above is a problem as the
certificate needs to be load ahead of time or each time
by a seperate step, like:
  pkcs15-tool -r 1 > $TMFCERTFILE
  kinit -C ENGINE:CERT=$TMPCERTFILE,KEY=...


I am willing to look at the three steps, if it looks like
(1) would be accepted. If not I will look the ENGINE_ctrl
option.

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444