[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OpenSC-devel] Using OpenSSL ENGINE to get Certificate from Smartcard

Eric Dorland wrote:
> Hi Douglas,
> * Douglas E. Engert (deengert@anl.gov) wrote:
>>[Also sent to openssl-dev@openssl.org, and heimdal-discuss@sics.se]
>>The OpenSSL ENGINE facilities had ENGINE_load_private_key,
>>and ENGINE_load_public_key, but do not have ENGINE_load_certificate.
>>When the ENGINE is used by an application, such as the
>>Heimdal PKINIT code to use a smartcard to get a Kerberos
>>ticket the application does not have easy access to the
>>certificate stored on the smartcard.
> I don't mean to bug you, but I've wanted to try the PKINIT stuff for a
> while, can you point me at any documentation? 


This talks about getting the source, configure, make,
and mods to the krb5.conf to use the OpenSC provided
sslengine called opensc/engine_pkcs11.so. This engine then loads
a PKCS11 plugin. In this documentation, Love was using
his own soft-pkcs11.so that got the key from a file.

I switched to using the OpenSC opensc-pkcs11.so
This can then use any pkcs15 smartcards or PKCS15 emulated cards.

What I have been up to was creating a pkcs15-gemsafe.so to be
used as a plugin as a pkcs15 emulation. I sent this to OpenSC
this week. This allows us to use the same smartcard on Linux
as well as Windows, using the same data on the card.

So what you need is:
   Heimdal with PKINIT mods
   Either OpenCT or Muscle's PCSC and dribver for you reader.

A lot of this depends on what smartcards and readers, you have,
and if you already have a CA, KDC with PKINIT, like Windows AD
in place.

Peter Duff in a note on 1/17/2005 to heimdal-dicuss asked
the question about getting the cert from the smartcard, as well
as the key. WHat I describe below is a way to do that.

>>The Heimdal code needs the certificate, as well as the key.
>>Currently the certificate must be loaded off the card
>>in a separate step, then passed in as a file.
>>Is there any chance that:
>> (1) OpenSSL would implement ENGINE_load_certificate
>> (2) OpenSC would use it in their sslengine/hw_pkcs11.c
>> (3) Heimdal would use it to load the certificate from the
>>     smartcard?
>>Even if (1) is not done,  It looks possible to use the
>>ENGINE_ctrl to do this if OpenSC would add a routine to
>>access the certificate and the Heimdal code would call it.
>>I am in the process of getting Heimdal on Linux to use OpenSC
>>to access a GemSAFE card, which was initialized for use
>>for Windows login to za domain.
>>So far its working, but the above is a problem as the
>>certificate needs to be load ahead of time or each time
>>by a seperate step, like:
>> pkcs15-tool -r 1 > $TMFCERTFILE
>>I am willing to look at the three steps, if it looks like
>>(1) would be accepted. If not I will look the ENGINE_ctrl


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444