About OpenSSL support for USB-KEY certificates

Author: orangutan human

Time:

For my work needs, you need to access the certificate in the USB-KEY in OpenSSL and establish a connection with the server.

With the help of the child prodigy, two implementation methods are available.

1. If the USB-KEY driver supports the PKCS #11 interface, OpenSSL can easily access the USB-key through the engine.

2. I heard that OpenSSL 0.9.8i of the latest version has been added to support Windows Capi.

I tried OpenSSL 0.9.8i directly because I was too lazy.

I have referenced the information of this website on the Internet.

Http://markmail.org/message/hrrq3hhciz6vml6w#query:OPENSSL%20CryptoAPI%20ENGINE+page:1+mid:ufpkpzqtk5ohn5hz+state:results

If you are interested, you can check it out.

Okay. Start working now.

1. Download OpenSSL 0.9.8i and unpack it. Address:

Http://www.openssl.org/source/openssl-0.9.8i.tar.gz

2. Download ActivePerl and install it. Address:

Http://www.activestate.com/Products/activeperl/index.mhtml

3. Compile the library. Because OpenSSL 0.9.8i does not enable CAPI support by default, you must modify the configuration before compiling. Because I use VC

Perl configure VC-WIN32 enable-capieng-dopenssl_ssl_client_engine_auto = capi-dopenssl_capieng_dialog

Enable enable-capieng, and then automatically direct the ssl_client engine to the CAPI

4. Start to compile. The compilation is the same. I will not talk much about it. There are many materials on the Internet.

After the above steps, the library compilation is complete.

Start the test below.

In the past, when I used OpenSSL as a clinet service, it was provided through file certificates. Without certificates, it was not accessible to websites that needed client certificates.

Based on this premise, the following experiments were conducted.

The test of the USB-KEY (especially note that the USB-KEY used for the test is dedicated to public security, so the first visit to the USB-KEY will require the input key password, and conduct the test in the Public Security Intranet .)

1. Use the newly compiled software to initiate an HTTPS page request. The public security key password input window is displayed. (You can prove that you have accessed CAPI and successfully accessed the USB ).

2. After Entering the password, the returned page contains information about the USB-KEY master. (Proven USB-KEY support successful)

3. Dial out the USB-KEY and request the page again. The returned page directly jumps to the logon window without any personnel information.

4, re insert (test software does not restart), request HTTPS again, and the password input window appears, enter the password, the successful access to the page, the page with the USB-KEY master information.

5, again request the page, no password input window appears, the page returns normal, that is, the same with the information of the USB-KEY master.

The above five tests prove that the newly compiled OpenSSL 0.9.8i version can be automatically called to capi. This is a good news for developers who need to support CAPI interfaces in OpenSSL. for me at least, they do not need to write code or test code on their own.

This version seems to only support CAPI interfaces in windows, but it is unclear in Linux. Here, based on the open-source principle of OpenSSL, I will pass my tests for your reference. If you have similar requirements in the future, you can try it.