1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>QuickStart - Engine PKCS#11 - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1 id="QuickStart">Quick Start</h1>
<p>
Please first install the PKCS#11 Module you want to use such as OpenSC, and
install libp11 (runtime and development).
</p>
<p>
Installing engine_pkcs11 is quite simple:
</p>
<pre class="wiki" xml:space="preserve">wget http://www.opensc-project.org/files/engine_pkcs11-x.y.z.tar.gz
tar xfvz engine_pkcs11-x.y.z.tar.gz
cd engine_pkcs11-x.y.z
./configure --prefix=/usr/
make
make install
</pre><h2 id="UsingEngine_pkcs11withtheopensslcommand">Using Engine_pkcs11 with the openssl command</h2>
<p>
You can run the OpenSSL command shell and load the engine and then run any command using the
engine. Here is an example:
</p>
<pre class="wiki" xml:space="preserve">$ openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
-pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 \
-subj "/CN=Andreas Jellinghaus"
</pre><p>
In this example the engine_pkcs11 is loaded using the PKCS#11 module opensc-pkcs11.so.
The second command creates a self signed Certificate for "Andreas Jellinghaus", the signing
is done using the key with id 45 from your smart card in slot 0.
</p>
<h2 id="UsingEngine_pkcs11withtheopensslconfigfile">Using Engine_pkcs11 with the openssl config file</h2>
<p>
You can also create/edit an openssl config file, so you don't need to type in or paste
the above commands all the time. Here is an example for OpenSSL 0.9.8:
</p>
<pre class="wiki" xml:space="preserve">openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
</pre><p>
With such a config file you can directly call openssl to use that engine:
</p>
<pre class="wiki" xml:space="preserve">openssl req -config openssl.conf -engine pkcs11 -new -key id_45 \
-keyform engine -out req.pem -text -x509 \
-subj "/CN=Andreas Jellinghaus"
</pre><h2 id="EnginePKCS11Options">Engine PKCS#11 Options</h2>
<p>
Options you can use with engine_pkcs11:
</p>
<ul><li>SO_PATH: Specifies the path to the 'pkcs11-engine' shared library
</li><li>MODULE_PATH: Specifies the path to the pkcs11 module shared library
</li><li>PIN: Specifies the pin code
</li><li>VERBOSE: Print additional details
</li><li>QUIET: Remove additional details
</li><li>LOAD_CERT_CTRL: Get the certificate from card
</li></ul><p>
PIN can be passed only in the [pkcs11_section] of the openssl.conf (see above).
</p>
<p>
FIXME: copied these options from the source code, untested
</p>
<h2 id="OpenSSLautoloading">OpenSSL autoloading</h2>
<p>
OpenSSL 0.9.8+ can automaticaly load engines. If you want to enable that
feature, add a symlink from engine_pkcs11.so to libfoo.so in the
lib/engines/ directory where engine_pkcs11.so is installed.
</p>
<p>
We think that a config file is a much better approach, since you need to
pass the PKCS#11 module to use to engine_pkcs11.so, and you can do that
only via command line or via the config file.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
|
