On Thu, Dec 31, 2015 at 08:19:28PM +0000, Mckinney, Lee wrote:
> Our project is looking to: [upon PKI challenge from a server]
> 1. display/list the certificates contained on a smartcard/CAC to allow user
> selection of a cert
> 2. present PIN challenge for the selected cert
> 3. if correct PIN, grant access to the server resource
>
> Out of the box, libcurl does present a PIN challenge

I think you are right. libcurl supports many TLS backends. I know only
a little bit about OpenSSL backend.

OpenSSL library supports conversation between an application and an OpenSSL's
crypto engine (for example engine_pkcs11 for accessing PKCS11 modules).
However, libcurl does not export the interface, it only wraps the PIN request
by passing a value preset by curl_easy_setopt(curl, CURLOPT_TLSAUTH_PASSWORD,
<PIN>).

Moreover, in case of engine_pkcs11, selecting client certificate is an optional
feature of a crypto engine. The OpenSSL library passes server's list of
accaptable authorities to the engine and it's on the engine to
select proper certificate. The engine can start an interactive conversation
with an application, for example listing available certificates and querying
the application for ordinal number of the certificate from the certificate
list. But this is unsupported by the libcurl, and not yet implemented in the
engine_pkcs11 engine. (I sent a preliminary patch
<https://github.com/petrpisaratlascz/engine_pkcs11/commit/45128081cd1e082569468651d8f297249edd03e0> two years ago).

> What is the next step?

People who know about other libcurl TLS backends could describe their status
and then libcurl could implement some conversation interface bridging the TLS
backend with the libcurl application. Probably as some kind of callback
functions for displaying questions, for gathering answer and a special one for
asking PIN.

-- Petr

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html