The OpenSSL ENGINE facilities had ENGINE_load_private_key,
and ENGINE_load_public_key, but do not have ENGINE_load_certificate.

When the ENGINE is used by an application, such as the
Heimdal PKINIT code to use a smartcard to get a Kerberos
ticket the application does not have easy access to the
certificate stored on the smartcard.

The Heimdal code needs the certificate, as well as the key.
Currently the certificate must be loaded off the card
in a separate step, then passed in as a file.

Is there any chance that:

(1) OpenSSL would implement ENGINE_load_certificate

(2) OpenSC would use it in their sslengine/hw_pkcs11.c

(3) Heimdal would use it to load the certificate from the

Even if (1) is not done, It looks possible to use the
ENGINE_ctrl to do this if OpenSC would add a routine to
access the certificate and the Heimdal code would call it.

I am in the process of getting Heimdal on Linux to use OpenSC
to access a GemSAFE card, which was initialized for use
for Windows login to za domain.

So far its working, but the above is a problem as the
certificate needs to be load ahead of time or each time
by a seperate step, like:
pkcs15-tool -r 1 > $TMFCERTFILE

I am willing to look at the three steps, if it looks like
(1) would be accepted. If not I will look the ENGINE_ctrl


Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
__________________________________________________ ____________________
OpenSSL Project
Development Mailing List
Automated List Manager