there are any plan to support PKCS11 certificates?

[welitonfreitas]

hi,

The are any plans for supporting PKCS11 certs? I have the need to use some hardware certificates for ssl requests.

if not, what is the difficulty and where to start implementing it today in pyopenssl?

tanks..

[danizen]

I'm not a pyopenssl developer, but it looks like the minimum needed to do this is to implement a sub-class of OpenSSL.crypto.PKey which acts as a wrapper for a private key on a smart card, and returns a sub-class of cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey which implements the sign method on the smart card itself.

A possibility for this is to use the package PyKCS11 to dialog with the smart card - this has worked for me for basic encryption, decryption and signing previously on both Windows and OS X.

See related issue requests/toolbelt#282 and related issue LudovicRousseau/PyKCS11#68

[reaperhulk]

PKCS11 support requires OpenSSL engines, which are not planned for support at this time. You can do this by patching ENGINE functions back into cryptography and using them though.