cURL / Mailing Lists / curl-library / Single Mail


smart cards and web programming

From: Martin Paljak <>
Date: Sun, 13 Feb 2005 00:25:12 +0200

Dynamic OpenSSL Engines and PKCS#11.

What i want - to write applications that make use of data available on
the web and protected with strong authentication like smart cards
What i have - a Estonian ID card, OpenSC library with pkcs11 module
for it and, a dynamic
openssl engine that enables any pkcs11 module for openssl (so any HSM
that provides a pkcs11 library can be used, for example something
faster on the server side) and pycurl.
What i didn't have - a way to use the stuff together.

The quick patches should describe themselves. More error checking etc
could be done.
Thanks goes to Serge Hallyn for his similar patch for apache2 @ that
saved me some time from RTFM tasks

* Issues/TODO
 - a generic attribute setter for engines might be smart.
 - as always - decent PIN handling... --pass has no effect (probly
work needed in pkcs11 engine?)
 - ENG type certificates in libcurl
 - somewhere the path information of MODULE_PATH gets lost, that's why
there's LD_LIBRARY_PATH in play.


~/EstEID # pkcs15-tool -r 01 > auth.cert
~/EstEID # export LD_LIBRARY_PATH=/usr/lib/pkcs11:$LD_LIBRARY_PATH
~/EstEID # curl --engine dynamic --engine-path
/usr/lib/opensc/ --engine-id pkcs11 --engine-pkcs11
/usr/lib/pkcs11/ --key-type ENG --pass XXX --key id_01
--cert auth.cert --cert-type PEM --insecure
SmartCard PIN:
<html><head><title>AS Sertifitseerimiskeskuse tervitus</title></head>
<h1>Tere tulemast AS Sertifitseerimiskeskus kodulehele, <font
color='blue'>MARTIN PALJAK</font></h1><hr>
Jätkamiseks palun klikkige <a href=''>sellel lingil</a>
~/EstEID #

comments welcome


Martin Paljak - Gmail - private mail - web
+372.5156495 - phone

Received on 2005-02-12