2

I am new to PKCS#11 and Common Access Cards but as I understand it, on the card you have the certificates(s) that can be extracted and the private key(s) that can't. I am trying to write an app that communicates with a web server that requires certificates for authentication. The PKCS library provided from the hardware vendor is pretty thin. I can essentially access the certificate object or sign data using the on-card private key.

What I am unsure of how I handle the handshake and such when connecting to the webserver. Am I supposed to provide the certificate along with something else signed by the private key? If so, what is it that I sign with the private key? I have Googled this but have been unable find some kind of explanation for this process.

SonnyBurnette
  • 680
  • 3
  • 11
  • 25
  • Are you writing an SSL/TLS client yourself? If yes, then you should know what to sign. If you are using third-party library, then the library should support external certificates via for example CryptoAPI or PKCS#11. – Eugene Mayevski 'Callback Sep 30 '11 at 18:59

2 Answers2

1

If you are using an RSA key on the common access card for authentication, you'll need to send a CertificateVerify message in the handshake, which contains digital signatures over the handshake records to that point. You'll also need to send the client certificate, of course. See §7.4.8 of the TLS specification for details.

Hopefully, your TLS library supports the use of a PKCS #11 cryptographic module. If not, you might have to switch. Implementing TLS yourself when you aren't familiar with the specification is unreasonable.

Community
  • 1
  • 1
erickson
  • 265,237
  • 58
  • 395
  • 493
0

I think you just need to retrieve your client certificate from your PKCS#11 device and then use it along the request you are making to web server. You don't need to implement SSL if you use existing libraries. They should contain all you need.

hasa
  • 208
  • 1
  • 4