How to use private key on a PKCS#11 module instead of perivate key file for mutual-authentication in OpenSSL?

1.9k views Asked by At

I've a simple SSL client that uses OpenSSL library. My server requires client authentication & so I've to set client's private key stored in a password protected PEM file. I use the following code for this purpose:

/* set the private key from KeyFile */
if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)
{
    ERR_print_errors_fp(stderr);
    abort();
}

/* verify private key */
if ( !SSL_CTX_check_private_key(ctx) )
{
    fprintf(stderr, "Private key does not match the public certificate\n");
    abort();
}

Now I want to know how can I establish a SSL connection using private key stored on a security token (with PKCS#11 interface) instead of reading it from a file?

1

There are 1 answers

3
Alex Bezuglyi On BEST ANSWER

Answer is a little bit complicated. First You need to load Engine of your PKCS#11:

ENGINE_load_builtin_engines();
{
    if (!(e = ENGINE_by_id("dynamic")))
        goto err;
    if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", "dstu", 0))
        goto err;
    if (!ENGINE_ctrl_cmd_string(e, "LIST_ADD", "2", 0))
        goto err;
    if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
        goto err;
    e = ENGINE_by_id("pkcs11_engine");
    if (!e)
      return error;

res = ENGINE_init(e);
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
    goto err;

}

then you need load EVP_PKEY* from engine EVP_PKEY* key = ENGINE_load_private_key(e, "SecureToken", NULL, &cb_data);

and pass it to SSL: int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);

strings SecureToken and pkcs11_engine you should found in documentation to your engine pkcs11 module