[strongSwan-dev] charon openssl RSA engine and private key on smartcard

Dimitrios Siganos dimitris at siganos.org
Thu Apr 29 14:54:32 CEST 2010


I am using charon and I need to access a private key sitting on a 
smartcard through an openssl RSA engine. I have setup engine_pkcs11 and 
opensc and got access to such a secret stored on a smartcard and it 
worked nicely.

However, I have another smartcard chip that doesn't allow me to do raw 
RSA sign of a digest. It only allows me to a SHA1/RSA PKCS1.5 
combination. i.e. it expects me to pass it the whole message, not just 
the digest, and it will do both the digest and the signing. But using 
the RSA engine, I seem to only get the digest given to me, which can't 
work with the smartcard I have.

Changing tha smardcard chip is not a solution because this is an 
embedded system with the chip built in.

I think the solution is to create an openssl digest engine for 
sha1withrsaencryption. I imagine if I did that, then strongswan would 
pass me to the whole message and I can pass that to my smartcard to do 
the whole sha1withrsaencryption operation.

Does the digest engine approach make sense?

Dimitrios Siganos

More information about the Dev mailing list