[openssl-users] Getting certificates from smartcards

Anirudh Raghunath

unread,

Jul 21, 2015, 3:00:00 AM7/21/15

to

Hello,

I would like to utilize the ENGINE_load_ssl_client_cert() function to load a certificate from my smart card. I have successfully loaded the engine and have also tried to play around with the ENGINE_load_private_key() function. It worked successfully and I was able to get the private key in an EVP_PKEY object. But I also want the certificate associated with it. I looked at the code of ENGINE_load_ssl_client_cert() but cannot understand the parameters passed to it. Can someone please guide me on how to use it and perhaps give a working example of the call to that function with the parameters clearly mentioned and explained? Thanks in advance.

Victor Wagner

unread,

Jul 21, 2015, 7:24:01 AM7/21/15

to

As far as I can understand, this function is designed to be called from
the client certificate callback, set with function
SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure
(which should be passed to ENGINE_load_ssl_client_cert) and can use
SSL_get_client_CA_list to obtain list of CAs, which server would trust.
(SSL protocol allows to send this list to client).

So, you would pass to the ENGINE_load_ssl_client_certs

1. reference to engine to use
2. pointer to SSL object of your client connection (don't know why it
might be needed),
3. list of CA distinguished names (ca_dn) which server would trust.
You can obtain it from the SSL structure passed to your callback and
possibly filter something out of it.
4. Three pointers to variables where result should be placed -
one for certificate, other for private key and third for the stack of
intermediate CA certificates
5. UI method and its callback data (which you should be already
familiar with, because you have successfully managed to use
ENGINE_load_private_key).

Engine ought to find certificate-private key pair, where certificate is
issued by one of the CA in the list you pass (or at least chain of
trust from it to one of these CAs can be build)

Then engine asks user for PIN-code of private key and returns all the
objects - certificate, private key and chain of trust from this
certificate to one of CAs you've passed to it.

Probably, there can be situation where more than one certificate in the
hardware token matches given criteria (issued by one of given CA).
In this case engine should use ui_method to ask user which one of them
he wants to use.

Unfortunately, I do not know any engine which does all the things above.
I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found
out that it doesn't support this function.

So I have to copy certificate out of token into file using pkcs11-tool
and use ENGINE_load_private_key to load key from token.
.

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Dr. Stephen Henson

unread,

Jul 21, 2015, 8:41:40 AM7/21/15

to

On Tue, Jul 21, 2015, Victor Wagner wrote:

> On Tue, 21 Jul 2015 06:58:24 +0000 (UTC)
> Anirudh Raghunath <anirudhr...@rocketmail.com> wrote:
>
> As far as I can understand, this function is designed to be called from
> the client certificate callback, set with function
> SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure
> (which should be passed to ENGINE_load_ssl_client_cert) and can use
> SSL_get_client_CA_list to obtain list of CAs, which server would trust.
> (SSL protocol allows to send this list to client).
>

It's intended to be called automatically when SSL_CTX_set_client_cert_engine
sets up a "client authentication ENGINE".

> So, you would pass to the ENGINE_load_ssl_client_certs
>
> 1. reference to engine to use
> 2. pointer to SSL object of your client connection (don't know why it
> might be needed),

This is there so the ENGINE can query other properties of the connection which
might decide which chain to use. For example the supported signature
algorithms.

>
> Unfortunately, I do not know any engine which does all the things above.
> I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found
> out that it doesn't support this function.
>

The CrytpoAPI ENGINE performs some of these tasks but so far it is the only
one I'm aware of.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

Anirudh Raghunath

unread,

Jul 21, 2015, 10:01:54 AM7/21/15

to

Ah okay, that clears up quite a lot of doubts. But the certificate I want to load is a self signed certificate which has a private key attached to it. I used the XCA application to export the certificate-private key pair as a p12 file to the smart card. What should I do to get the certificate in this case? Thanks.

Victor Wagner

unread,

Jul 21, 2015, 2:19:40 PM7/21/15

to

On Tue, 21 Jul 2015 13:58:21 +0000 (UTC)
Anirudh Raghunath <anirudhr...@rocketmail.com> wrote:

> Ah okay, that clears up quite a lot of doubts. But the certificate I
> want to load is a self signed certificate which has a private key
> attached to it. I used the XCA application to export the
> certificate-private key pair as a p12 file to the smart card. What
> should I do to get the certificate in this case? Thanks.
>

It doesn't matter how you've installed certificate into smart card.
Once it, and its corresponding private key is installed on the card,
you can access them separately, using PKCS#11 API (and command-line
pkcs11-tool utility). So, you can extract just certificate from
certificate-private key pair and put it into the file (but typically
you cannot extract private key. You can only use PKCS11 API or OpenSSL
ENGINE API on top of it to perform cryptographic operations with this
private key. This is what smartcards are for).

If you have opensc pkcs11 engine, you also should have pkcs11-tool from
opensc project.

Use

pkcs11-tool --module <your pkcs11 module> --list-objects

to find out which certificate-private key pairs are available on your
card (you probably already know ID of your key pair, because you've used
ENGINE_load_private_key, and it requires key id as argument).

Then use

pkcs11-tool --module <your pkcs11 module> --write-object <id>
--type cert --output-file filename.der

to extract certificate from card. You can then convert it to pem
format using

openssl x509 -in filename.der -inform DER -out filename.pem

or can just use function SSL_CTX_use_certificate_file passing
SSL_FILETYPE_ASN1 as its argument.

Personally I consider it ugly that one need to extract certificate from
token before it can be used in openssl-based applications for any
purpose except SSL-client authentication.

Function

int ENGINE_load_certificate(ENGINE *e, const char *key id,
UI_METHOD *ui_method, void *callback_data)

is clearly missing from API.

Existence of such function would allow to use smartcards and other
hardware tokens to be used

1. In the server applications
2. In the non-SSL (i.e. CMS signing) applications
3. For secondary protocols like OCSP or timestamping authority.

Anirudh Raghunath

unread,

Jul 21, 2015, 4:57:46 PM7/21/15

to

Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks

Anirudh Raghunath

unread,

Jul 22, 2015, 3:51:29 AM7/22/15

to

Shoot, I need that functionality. Can I perhaps use the X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) function then? If yes, then can someone elaborate on how to use this function? Thanks.