Dynamic OpenSSL Engines and PKCS#11.

What i want - to write applications that make use of data available on
the web and protected with strong authentication like smart cards
What i have - a Estonian ID card, OpenSC library with pkcs11 module
for it and engine_pkcs11.so, a dynamic
openssl engine that enables any pkcs11 module for openssl (so any HSM
that provides a pkcs11 library can be used, for example something
faster on the server side) and pycurl.
What i didn't have - a way to use the stuff together.

The quick patches should describe themselves. More error checking etc
could be done.
Thanks goes to Serge Hallyn for his similar patch for apache2 @
http://www.mail-archive.com/dev@httpd.apache.org/msg19638.html that
saved me some time from RTFM tasks

* Issues/TODO
 - a generic attribute setter for engines might be smart.
 - as always - decent PIN handling... --pass has no effect (probly
work needed in pkcs11 engine?)
 - ENG type certificates in libcurl
 - somewhere the path information of MODULE_PATH gets lost, that's why
there's LD_LIBRARY_PATH in play.

* DEMO:

~/EstEID # pkcs15-tool -r 01 > auth.cert
~/EstEID # export LD_LIBRARY_PATH=/usr/lib/pkcs11:$LD_LIBRARY_PATH
~/EstEID # curl --engine dynamic --engine-path
/usr/lib/opensc/engine_pkcs11.so --engine-id pkcs11 --engine-pkcs11
/usr/lib/pkcs11/opensc-pkcs11.so --key-type ENG --pass XXX --key id_01
--cert auth.cert --cert-type PEM --insecure
https://www.sk.ee/cgi-bin/tervitus
SmartCard PIN:
<html><head><title>AS Sertifitseerimiskeskuse tervitus</title></head>
<body>
<h1>Tere tulemast AS Sertifitseerimiskeskus kodulehele, <font
color='blue'>MARTIN PALJAK</font></h1><hr>
Jätkamiseks palun klikkige <a href='https://www.sk.ee/'>sellel lingil</a>
</body></html>
~/EstEID #

comments welcome

peace,
m.

-- 
Martin Paljak
martin.paljak_at_gmail.com - Gmail
martin_at_paljak.pri.ee - private mail
http://martin.paljak.pri.ee - web
+372.5156495 - phone