Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Version numbers curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
API Bindings Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 mutual authentication using libcurl and smart card

From: David Woodhouse <dwmw2_at_infradead.org>
Date: Mon, 26 Sep 2016 19:41:03 +0100

(You dropped me from Cc. Please don't do that if you want me to try to
 help you! http://david.woodhou.se/reply-to-list.html%c2 )

On Mon, 2016-09-26 at 15:53 +0000, Tiago dos Santos Gomes wrote:
>
> Here are some additional information to better explain my problem:
>
> Embedded Linux: Ubuntu 16.04 (kernel 3.14.38)
> Processor: i.MX 6UltraLite
> libcurl4-openssl-dev (OpenSSL flavor)
> libcurl3 (OpenSSL flavor)
>
> The card is accessed directly from my application, through a
> combination of APDU commands and IOCTL calls. There is no USB reader
> for access to the card because it is directly connected to the board
> (Sim Card Holder Connector). Using Freescale IMX SIM interface, I can
> send APDU commands to the card, for example, to sign or encrypt a
> buffer.
>
> Given this information, the solution that you suggested can still be
> applied?

Yes, I think it's still the simplest approach.

Take your APDU IOCTL code that you already have in your application,
and put it into a trivial PKCS#11 module. It only needs to claim to
have a *single* key in it, if that's all you have.

The key in that PKCS#11 module can then be used from any well-behaved
application by its PKCS#11 URI, fairly much as I described before.

Right now, I don't think curl is well-behaved in that sense — I think
you need to play silly buggers with CURLOPT_SSLENGINE and other
OpenSSL-specific horridness that you really shouldn't have to do; you
should only need to provide a RFC7512 PKCS#11 URI as CURLOPT_SSLCERT
and regardless of which crypto library you use, it should work the
same.

(I actually thought I'd fixed that, and it isn't particularly hard;
I'll do it soon.)

There are two alternative approaches, which I don't think are as
useful. One is that you provide an OpenSSL ENGINE; the OpenSSL-specific
plugin mechanism. But that's not as generally useful as providing a
PKCS#11 module, and ENGINE_pkcs11 for OpenSSL already bridges the two,
so it doesn't seem worth doing an ENGINE instead of a PKCS#11 module.

The other is what I did years ago when I decided I needed to control
all the crypto myself and talk directly to the crypto libraries... I
eschewed curl altogether and wrote my own HTTP code. Having mostly
fixed the crypto side since then so that we don't need to do that any
more, I wouldn't advocate that you follow my lead there :) 

-- 
dwmw2

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

  • application/x-pkcs7-signature attachment: smime.p7s
Received on 2016-09-26