1

I'm trying to establish a TLS 1.2 connection to a server. I have to use a certificate and key stored on a PKCS11 token, but I can't seem to find the correct functions in OpenSSL to do so.

I have implemented something similar with gnuTLS using [1]. Are there corresponding C/C++ functions in OpenSSL? Basically I'm looking for a programmatic way to let me set the object path (PKCS#7 format) and a callback function, since a PIN is required to unlock the token.

Is it even possible to integrate a PKCS#11 token using OpenSSL? I have found functions that let me set certificates and keys but only as a file on my local machine [2].

Any help is much appreciated.

[1] http://www.gnutls.org/manual/html_node/Using-a-PKCS11-token-with-TLS.html

[2] https://www.openssl.org/docs/man1.0.1/ssl/SSL_CTX_use_certificate_file.html

datosh
  • 498
  • 7
  • 20
  • Depends on whether the token uses PKCS#15 or some proprietary format. https://github.com/OpenSC/OpenSC/wiki/Overview – stark Feb 14 '17 at 17:02
  • Also see [Getting certificates from smartcards](https://mta.openssl.org/pipermail/openssl-users/2015-July/001810.html) on the OpenSSL user mailing list. I believe you can use the PKCS11 functions, or an Engine to do it. – jww Feb 14 '17 at 19:42

0 Answers0