[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using OpenSSL ENGINE to get Certificate from Smartcard

In message <424D7361.7060803@anl.gov> on Fri, 01 Apr 2005 10:14:25 -0600, "Douglas E. Engert" <deengert@anl.gov> said:

deengert> The OpenSSL ENGINE facilities had ENGINE_load_private_key,
deengert> and ENGINE_load_public_key, but do not have ENGINE_load_certificate.
deengert> When the ENGINE is used by an application, such as the
deengert> Heimdal PKINIT code to use a smartcard to get a Kerberos
deengert> ticket the application does not have easy access to the
deengert> certificate stored on the smartcard.

In 0.9.8-dev, there's a potentially better mechanism that I started a
while ago (more than a year), called a STORE, which also comes with
ENGINE support.  However, because of lack of funding, I haven't found
the time to finish up (it's no small project).  I hope to get the
opportunity to feel financially safe enough to be able to finish that
module.  It would make it possible to retrieve (or retreive a handle
to) quite a number of different types of data from any store, smart
cards, SQLite databasees, LDAP repositories and whatnot.

I could add ENGINE_load_certificate(), but that would (hopefully) just
be a temporary solution before the grander solution (yes, I'm boasting
it :-)) is firmly in place.

deengert> The Heimdal code needs the certificate, as well as the key.
deengert> Currently the certificate must be loaded off the card
deengert> in a separate step, then passed in as a file.

Hmm, I imagine that ENGINE_load_certificate() would still be a
separate step.  I hope that's not a problem...


Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

Richard Levitte                         richard@levitte.org

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
						-- C.S. Lewis