如何在PKCS#11模块上使用私钥,而不是在OpenSSL中使用私钥文件进行相互认证? [英] How to use private key on a PKCS#11 module instead of perivate key file for mutual-authentication in OpenSSL?
问题描述
我有一个使用OpenSSL库的简单SSL客户端.我的服务器需要客户端身份验证和因此,我必须将客户端的私钥设置为存储在受密码保护的PEM文件中.为此,我使用以下代码:
I've a simple SSL client that uses OpenSSL library. My server requires client authentication & so I've to set client's private key stored in a password protected PEM file. I use the following code for this purpose:
/* set the private key from KeyFile */
if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
abort();
}
/* verify private key */
if ( !SSL_CTX_check_private_key(ctx) )
{
fprintf(stderr, "Private key does not match the public certificate\n");
abort();
}
现在我想知道如何使用存储在安全令牌(带有PKCS#11接口)中的私钥建立SSL连接,而不是从文件中读取私钥?
Now I want to know how can I establish a SSL connection using private key stored on a security token (with PKCS#11 interface) instead of reading it from a file?
推荐答案
答案有点复杂. 首先,您需要加载PKCS#11的引擎:
Answer is a little bit complicated. First You need to load Engine of your PKCS#11:
ENGINE_load_builtin_engines();
{
if (!(e = ENGINE_by_id("dynamic")))
goto err;
if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", "dstu", 0))
goto err;
if (!ENGINE_ctrl_cmd_string(e, "LIST_ADD", "2", 0))
goto err;
if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
goto err;
e = ENGINE_by_id("pkcs11_engine");
if (!e)
return error;
res = ENGINE_init(e);
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
goto err;
}
然后您需要从引擎加载EVP_PKEY *
EVP_PKEY* key = ENGINE_load_private_key(e, "SecureToken", NULL, &cb_data);
then you need load EVP_PKEY* from engine
EVP_PKEY* key = ENGINE_load_private_key(e, "SecureToken", NULL, &cb_data);
并将其传递给SSL:
int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
and pass it to SSL:
int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
字符串SecureToken和pkcs11_engine
这篇关于如何在PKCS#11模块上使用私钥,而不是在OpenSSL中使用私钥文件进行相互认证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
