curl-library
Re: SSLv3 mutual authentication using libcurl and smart card
Date: Mon, 26 Sep 2016 13:28:17 +0100
On Fri, 2016-09-16 at 19:35 +0000, Tiago dos Santos Gomes wrote:
> My doubt is: How to use the smart card to replace the private key and
> password in the libcurl setup process?
>
>
> The smart card does not allow access to private key, only to the
> public key, as expected. However, I can send to the smart card data to be signed
> or encrypted, using the private key, and get the resulting buffer.
You haven't specified the platform you're working on, the crypto
library you've built curl against, or the method by which the smart
card is accessible.
So I'm going to make some assumptions to make life easy: You are using
Fedora 24, your smart card is accessible via a properly-installed¹
PKCS#11 module, and you have rebuilt libcurl against GnuTLS instead of
NSS so that it complies with the Fedora packaging guidelines and no
longer suffers from https://bugzilla.redhat.com/show_bug.cgi?id=1219544
Given those assumptions, the answer is now trivial. You replace the
filenames for your client certificate and key, with the PKCS#11 URI for
them in the smart card, as defined by RFC7512.
For example (from the command line)
curl -E 'pkcs11:manufacturer=piv_II;id=%01' $URL
In the general case in Fedora, *anything* which will take certificates
from a file *SHOULD* also happily accept a RFC7512 PKCS#11 URI in place
of a filename. Please file bugs and Cc me if you find anything that
doesn't.
Of course, none of this is really Fedora-specific, and the above should
point you in the right direction even if you're using a different
system. It SHOULD work like this everywhere, but YMMV especially if you
use platforms where people are paying less attention to such things.
-- dwmw2 ¹ That is, one which installs a p11-kit module file to ensure that it is visible by default in applications.
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
- application/x-pkcs7-signature attachment: smime.p7s