Re: [opensc-commits] [OpenSC] #429: obtain certificate or private key using slot id and an index

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: [opensc-commits] [OpenSC] #429: obtain certificate or private key using slot id and an index

Douglas E. Engert

On 3/11/2012 8:51 PM, OpenSC wrote:

> #429: obtain certificate or private key using slot id and an index
> ----------------------------+----------------------------
>    Reporter:  BevanCollins   |      Owner:  opensc-devel@…
>        Type:  enhancement    |     Status:  new
>    Priority:  normal         |  Milestone:
>   Component:  engine_pkcs11  |    Version:
>    Severity:  normal         |   Keywords:
> Blocked By:                 |   Blocking:
> ----------------------------+----------------------------
>   LOAD_CERT_CTRL supports the following formats to specify slot and
>   certificate:
>   <id>,<slot>:<id>, id_<id>, slot_<slot>-id_<id>, label_<label>,
>   slot_<slot>-label_<label>
>   where<slot>  is the slot number as normal integer
>   and<id>  is the id number as hex string.
>   and<label>  is the textual key label string.
>   I need to be able to obtain all certificates loaded on a token without
>   prior knowledge of the certificates that are stored on the token.

AFAIK the OpenSSL engine code can only load one certificate (or key) at a time.
It is designed to load one certificate or key and can pass
in a clue to the engine, i.e. the slot_<slot>-id_<id> string.
OPenSSL engine is not designed to load all certificates and therefore
engine_pkcs11 does not have the operation you request multiple certificates.

pkcs15-tool -c
pkcs11-tool -O
can read or list all the objects on a card. You could use these programs
in scripts, or use the code from these programs in your own programs
to get the slot and id of all the certificates then use the OpenSSL engine
to retrieve these one at a time.

You could use a ENGINE_ctrl_cmd to a engine_pkcs11 function added to the
pkcs11_cmd_defns in hw_pkcs11.c to enumerate the certificates, and return
their IDs. This would only be available if you write code to make the calls,
you could not just use it in scripts that call the OpenSLL provided apps.

An approach that would not work would be to define a id_INDEX.<index> that could be
put into engine_pkcs11.c around line 490, that would return the <index>th cert from the
call at line 480 to PKCS11_enumerated_certs. This would return the next cert,
but not its id or its label.

The main problem with this is you will need to use the matching key and since the
enumeration of the keys may not match the enumeration of the certs (as not every cert
has to have a key and there is no requirement that the enumerations match.) You still
need the id or label of the key which you program would not do not have.



  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
opensc-devel mailing list
[hidden email]