I m Ok that the whole point of using a smart card is that we can't extract keys..<br>I learned that OPENSSL using the API pkcs#11 must communication with a middleware called openSC that really comunicate with the card..<br>
the problem is that opensc, do not understand the structure of card if it is non standard ( exple pkcs#15). SO:<br>1- I should write an emulation driver that will create a structure ( similar to pkcs#15) in host memory to allow the middleware to know the structure ( exple: ID/path of keys)<br>
2- I should write a driver card to make opensc doing basic commands,
such as sign data with that key(if needed ) -> the outputs will be understood by
openssl.<br><br>I'm thinking about another solution: why not creating a new module ( in place of eap-tls) that freeradius will use to apply eap-tls via "APDU outputs" of card instead of openssl. client must have the same structure of messages to send!<br>
<br><i>Another question to consider is if a smartcard will give you adequate
performance for your server load, a different type of hardware based
key management might be more appropriate than using a smartcard for a
server. Smartcards are typically used for "client" authentication and
signing where the volume of cryptographic operations is relatively low.<br><br></i>if i will be able to connect one card, i will use many cards to connect with server to optimize the performences and the access to the data.. can you give me an exemple of other hardware key management usable for that aim?!<br>
<br>thanks a lot!<br>