I've a simple SSL client that uses OpenSSL library. My server requires client authentication & so I've to set client's private key stored in a password protected PEM file. I use the following code for this purpose:
/* set the private key from KeyFile */
if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
abort();
}
/* verify private key */
if ( !SSL_CTX_check_private_key(ctx) )
{
fprintf(stderr, "Private key does not match the public certificate\n");
abort();
}
Now I want to know how can I establish a SSL connection using private key stored on a security token (with PKCS#11 interface) instead of reading it from a file?
Answer is a little bit complicated. First You need to load Engine of your PKCS#11:
}
then you need load EVP_PKEY* from engine
EVP_PKEY* key = ENGINE_load_private_key(e, "SecureToken", NULL, &cb_data);
and pass it to SSL:
int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
strings
SecureToken
andpkcs11_engine
you should found in documentation to your engine pkcs11 module