I want to get data from a server that accept only client authentication via smartcard and save them to my server. Since they are a lot of data, I want to create a connection between my server and this third party server, but I need the user's certificate in the smart card. It's impossible for me extract the private key from the smart card, of course, so I don't know if this is possible or not.
I enabled on my Apache server the client authentication in this way:
SSLVerifyClient require
SSLVerifyDepth 4
SSLProtocol +TLSv1.1 +TLSv1.2
SSLOptions +ExportCertData +StdEnvVars
SSLCACertificateFile /usr/share/ca-certificates/ca-bundle.crt
After the user insert the PIN, with my PHP script I can get the certificate in this way:
$_SERVER["SSL_CLIENT_CERT"];
Finally I try to use this certificate to sign the request via php cURL this way:
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => "https://ext.processotelematico.giustizia.it/pda/pycons/GLMV/JPW_SICID",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSLCERT => $certificate,
CURLOPT_POSTFIELDS => "<soapenv:Envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/'>\r\n <soapenv:Header>\r\n <ws:InvocationDomain name=\"JPW\" role=\"AVV\" group=\"9876\" soapenv:mustUnderstand=\"1\" soapenv:actor=\"http://schemas.xmlsoap.org/soap/actor/next\" xmlns:ws=\"http://www.netserv.it/anag/security\" />\r\n </soapenv:Header>\r\n <soapenv:Body>\r\n <sicc:execute xmlns:sicc=\"urn:CONS-ANONIMA-SICC-BE\">\r\n <sicc:name>RicercaRuoloGenerale</sicc:name>\r\n <sicc:valueSet>\r\n <sicc:value name='idUfficio' type='string'>9876</sicc:value>\r\n <sicc:value name='numero' type='integer'>1</sicc:value>\r\n <sicc:value name='anno' type='string'>2017</sicc:value>\r\n </sicc:valueSet>\r\n <sicc:orderBy>\r\n <sicc:entry mode='asc' property='IDFASCICOLO' />\r\n </sicc:orderBy>\r\n </sicc:execute>\r\n </soapenv:Body>\r\n</soapenv:Envelope>",
CURLOPT_HTTPHEADER => array(
"cache-control: no-cache",
"content-type: text/xml",
"x-wasp-user: user-id"
),
));
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
But I receive this error: "unable to set private key file: ". So, I suppose I have only the public part of the certificate. There is something I can do to login remotely? Or it is impossible? I know I should use client-side code, like Java Applet, but, like said, there are a lot of data and I want to avoid to download them on client and upload again on my server.
UPDATE: Just to make clear the use case:
The second server is a government server. The ministry provides citizens' data after the login. I cannot change nothing on this server, obviously.
The government releases the smartcards for authentication, via Trusted Certificate Authorities. I have on my server the CA certificates, so the CA are not an issue (I suppose)
My web app should download, manage and represent the citizen's data in a better way than the original server