PKCS#11 TLS 认证 [英] PKCS#11 TLS Authentication

问题描述

我是 PKCS#11 和通用访问卡的新手，但据我所知，卡上有可以提取的证书和不能提取的私钥.我正在尝试编写一个与需要证书进行身份验证的 Web 服务器通信的应用程序.硬件供应商提供的 PKCS 库非常精简.我基本上可以使用卡上的私钥访问证书对象或签名数据.

我不确定在连接到网络服务器时如何处理握手等.我是否应该提供证书以及由私钥签名的其他内容?如果是这样，我用私钥签名是什么?我在谷歌上搜索过这个，但一直找不到对这个过程的某种解释.

解决方案

如果您在公共访问卡上使用 RSA 密钥进行身份验证，则需要在握手，其中包含到该点的握手记录上的数字签名.当然，您还需要发送客户端证书.有关详细信息，请参阅 TLS 规范 7.4.8 节.>

希望您的 TLS 库支持使用 PKCS#11 加密模块.如果没有，您可能需要切换.在不熟悉规范的情况下自己实现 TLS 是不合理的.

I am new to PKCS#11 and Common Access Cards but as I understand it, on the card you have the certificates(s) that can be extracted and the private key(s) that can't. I am trying to write an app that communicates with a web server that requires certificates for authentication. The PKCS library provided from the hardware vendor is pretty thin. I can essentially access the certificate object or sign data using the on-card private key.

What I am unsure of how I handle the handshake and such when connecting to the webserver. Am I supposed to provide the certificate along with something else signed by the private key? If so, what is it that I sign with the private key? I have Googled this but have been unable find some kind of explanation for this process.

解决方案

If you are using an RSA key on the common access card for authentication, you'll need to send a CertificateVerify message in the handshake, which contains digital signatures over the handshake records to that point. You'll also need to send the client certificate, of course. See §7.4.8 of the TLS specification for details.

Hopefully, your TLS library supports the use of a PKCS #11 cryptographic module. If not, you might have to switch. Implementing TLS yourself when you aren't familiar with the specification is unreasonable.

这篇关于PKCS#11 TLS 认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！