cURL / Mailing Lists / curl-library / Single Mail

curl-library

SSLv3 mutual authentication using libcurl and smart card

From: Tiago dos Santos Gomes <tiago.gomes_at_telematica.com.br>
Date: Fri, 16 Sep 2016 19:35:40 +0000

Hi,

I need some help to establish a communication channel to consume a webservice using SSLv3 with mutual authentication, libcurl and a smart card, which will store the client certificate, the key pair and will be responsible for signatures, encryptions, etc.

For testing purposes, without using the smart card, the following brief code runs smoothly:

....
(SOAP message configurations)
....

curl_easy_setopt (curl, CURLOPT_USE_SSL, CURLUSESSL_ALL);
curl_easy_setopt (curl, CURLOPT_SSLVERSION, 3);
curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);

curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
curl_easy_setopt (curl, CURLOPT_SSLCERT, "clientCertificateFile");
curl_easy_setopt (curl, CURLOPT_KEYPASSWD, "testPrivateKeyPass");
curl_easy_setopt (curl, CURLOPT_SSLKEY, "testPrivateKeyFile");
curl_easy_setopt (curl, CURLOPT_CAINFO, "CAcertificateFile");
curl_easy_setopt (curl, CURLOPT_URL, "URLtoWebService");

curl_easy_perform (curl);

After running this code, I can establish communication using SSLv3
and get the expected response from the webservice. However, I need to
establish this secure channel using the smart card. I have free access
to the following information:

"clientCertificateFile" - stored on the smart card, in PEM format. It can be read through access function.
"CAcertificateFile" - stored on disk, in PEM format. It can be read through access function.
"URLtoWebService" - stored in the application.

"testPrivateKeyFile" and "testPrivateKeyPass" are temporary files
used only for testing and should be replaced by the smart card.

My doubt is: How to use the smart card to replace the private key and password in the libcurl setup process?

The smart card does not allow access to private key, only to the
public key, as expected. However, I can send to the smart card data to be signed
or encrypted, using the private key, and get the resulting buffer.

Is there any way to redirect part of the SSLv3 connection handshake to use my smart card? Some setting in lib ssl, or libcurl?

Thanks for listening!

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-16