Openssl: pkcs11 engine


#1

Hi! I am creating an application using the openssl crate, created by @sfackler. My question is, are openssl enginges somehow supported in this crate? I need to integrate smartcard support, which on debian is piece of cake and works out of the box with the openssl tool. Just install the libengine-pkcs11-openssl package. On the shell I can create a server using the private key on my token using sth. like this:

$ openssl s_server -engine pkcs11 -cert ~/cert.pem -keyform engine  -key "pkcs11:serial=0005000037f5"

For the sake of completeness, the certificate can be generated using this command:

$ openssl req -engine pkcs11 -new -key "pkcs11:serial=0005000037f5" -keyform engine -out ~/cert.pem -text -x509

So, in theory I “just” need to enable the pkcs11 engine in the rust openssl crate and specify the relevant keypath. I fear that the support is disabled, since I found this

in the build script. Can I somehow use the pkcs11 openssl engine with the rust openssl crate?


#2

The code you linked in the build script is checking if engines were enabled or not in the openssl distribution. It doesn’t build openssl itself.