cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 mutual authentication using libcurl and smart card

From: David Woodhouse <dwmw2_at_infradead.org>
Date: Tue, 27 Sep 2016 19:54:57 +0100

On Tue, 2016-09-27 at 17:11 +0000, Tiago dos Santos Gomes wrote:
> So how do I insert my access functions to the smartcard into a pkcs module 11? 
> Should I create a library? Some document or example to guide me? 
> It is my first project using this standard.

http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html

PKCS#11 is a standard API for crypto device drivers. You provide your
driver as a loadable shared library, with a set of defined entry points
— functions which conform to the above-referenced spec.

When you ask OpenSSL to use a given key from PKCS#11, it's going to
load your shared library and call those functions.

I was trying to be a little more helpful and use pkcs11-spy which
actually lets you watch all the calls into a PKCS#11 provider module
(there are software ones like SoftHSM which you can use for testing/
learning). But right now I can't make curl work at all with the engine;
something odd is going on. So I'll leave you reading the above, while I
try to fix that up :)

Then I'll give you a recipe for setting this up using a software
PKCS#11 module, and watching the calls into that software module with
pkcs11-spy. And then it's up to you to implement your own PKCS#11
provider module, which does the right thing when it's called in that
way (and ideally which conforms in general to the PKCS#11 spec).

But first, do check if one already exists. This isn't exactly an
esoteric requirement, surely, and PKCS#11 *is* the way that such
functionality should be exposed.

-- 
dwmw2

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

  • application/x-pkcs7-signature attachment: smime.p7s
Received on 2016-09-27