curl-library
Re: SSLv3 mutual authentication using libcurl and smart card
Date: Mon, 26 Sep 2016 19:41:03 +0100
(You dropped me from Cc. Please don't do that if you want me to try to
 help you! http://david.woodhou.se/reply-to-list.html%c2 )
On Mon, 2016-09-26 at 15:53 +0000, Tiago dos Santos Gomes wrote:
>
> Here are some additional information to better explain my problem:
>
> Embedded Linux: Ubuntu 16.04 (kernel 3.14.38)
> Processor: i.MX 6UltraLite
> libcurl4-openssl-dev (OpenSSL flavor)
> libcurl3 (OpenSSL flavor)
>
> The card is accessed directly from my application, through a
> combination of APDUÂ commands and IOCTL calls. There is no USB reader
> for access to the card because it is directly connected to the board
> (Sim Card Holder Connector). Using Freescale IMX SIM interface, I can
> send APDU commands to the card, for example, to sign or encrypt a
> buffer.
>
> Given this information, the solution that you suggested can still be
> applied?
Yes, I think it's still the simplest approach.
Take your APDU IOCTL code that you already have in your application,
and put it into a trivial PKCS#11 module. It only needs to claim to
have a *single* key in it, if that's all you have.
The key in that PKCS#11 module can then be used from any well-behaved
application by its PKCS#11 URI, fairly much as I described before.
Right now, I don't think curl is well-behaved in that sense — I think
you need to play silly buggers with CURLOPT_SSLENGINE and other
OpenSSL-specific horridness that you really shouldn't have to do; you
should only need to provide a RFC7512 PKCS#11 URI as CURLOPT_SSLCERT
and regardless of which crypto library you use, it should work the
same.
(I actually thought I'd fixed that, and it isn't particularly hard;
I'll do it soon.)
There are two alternative approaches, which I don't think are as
useful. One is that you provide an OpenSSL ENGINE; the OpenSSL-specific
plugin mechanism. But that's not as generally useful as providing a
PKCS#11 module, and ENGINE_pkcs11 for OpenSSL already bridges the two,
so it doesn't seem worth doing an ENGINE instead of a PKCS#11 module.
The other is what I did years ago when I decided I needed to control
all the crypto myself and talk directly to the crypto libraries... I
eschewed curl altogether and wrote my own HTTP code. Having mostly
fixed the crypto side since then so that we don't need to do that any
more, I wouldn't advocate that you follow my lead there :)
-- dwmw2
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
- application/x-pkcs7-signature attachment: smime.p7s