[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using OpenSSL ENGINE to get Certificate from Smartcard

Richard Levitte - VMS Whacker wrote:

> In message <424D7361.7060803@anl.gov> on Fri, 01 Apr 2005 10:14:25 -0600, "Douglas E. Engert" <deengert@anl.gov> said:
> deengert> The OpenSSL ENGINE facilities had ENGINE_load_private_key,
> deengert> and ENGINE_load_public_key, but do not have ENGINE_load_certificate.
> deengert> 
> deengert> When the ENGINE is used by an application, such as the
> deengert> Heimdal PKINIT code to use a smartcard to get a Kerberos
> deengert> ticket the application does not have easy access to the
> deengert> certificate stored on the smartcard.
> In 0.9.8-dev, there's a potentially better mechanism that I started a
> while ago (more than a year), called a STORE, which also comes with
> ENGINE support.  However, because of lack of funding, I haven't found
> the time to finish up (it's no small project).  I hope to get the
> opportunity to feel financially safe enough to be able to finish that
> module.  It would make it possible to retrieve (or retreive a handle
> to) quite a number of different types of data from any store, smart
> cards, SQLite databasees, LDAP repositories and whatnot.
> I could add ENGINE_load_certificate(), but that would (hopefully) just
> be a temporary solution before the grander solution (yes, I'm boasting
> it :-)) is firmly in place.

STORE sound interesting.

> deengert> The Heimdal code needs the certificate, as well as the key.
> deengert> Currently the certificate must be loaded off the card
> deengert> in a separate step, then passed in as a file.
> Hmm, I imagine that ENGINE_load_certificate() would still be a
> separate step.  I hope that's not a problem...

Not really, as the OpenSC engine-pkcs11.so "opens" the card once,
and keeps it open to fetch the certificate then later sign the hash etc.
The ENGINE_load_certificate would be a big step forward.

The overhead I am seeing is having to basicly "open" the card twice
with two seperate programs, pkcs15-tool and kinit. In my case the
pkcs15 emulation code has to test the card, and read the certificate
twice. This extra overhead may be 5 to 20 seconds, which adds a lot to login.
Other cards may have different overhead.

Eventially the code should be called from a heimdal PKINIT PAM
routine, so having it all together would make it much easier.

Hopefully ENGINE_load_certificate is a small project,
and I can help.

> Cheers,
> Richard
> -----
> Please consider sponsoring my work on free software.
> See http://www.free.lp.se/sponsoring.html for details.


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444