Re: private key not available for client_cert_cb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok. So I use the libp11 project DLL file for the SO_PATH and my smart card middleware DLL for the MODULE_PATH when setting up the OpenSSL Engine?


Thanks,
George



On 2020-12-17 3:22 a.m., Jan Just Keijser wrote:
Hi,

On 16/12/20 20:26, George wrote:
Hi,

   I've been looking at the code in the pppd EAP-TLS patch, but I can't seem to load the engine with the pkcs11 DLL. It is failing with the error:

error:2507606A:DSO support routines:WIN32_BIND_FUNC:could not bind to the requested symbol name

I've verified the path is correct.

I am using OpenSSL1.0.2u with the FIPS Object Module 2.0.16  in Windows 10. Do I need to do anything special to allow loading of DLLs in OpenSSL?

Here is what I am trying to do:

    char* engine_name = "C:\\Users\\whipp\\junk4\\ActivClient\\acpkcs211.dll";
    ENGINE_load_builtin_engines();
    ENGINE_register_all_complete();
    ENGINE *pkey_engine = ENGINE_by_id("dynamic");
    ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", engine_name, 0);
    ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
    ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);


Do you see anything wrong with this?


I forgot to mention that loading a PKCS11 driver from within OpenSSL is a 2 stage rocket:

first stage:  load the engine_pkcs11 module using

    char* engine_name = "C:\\Windows\\System32\\pkcs11.dll"

This is a separate piece of code and is part of the libp11 project:
  https://github.com/OpenSC/libp11

(it also has a nice wiki that explains how to do it on the command line using OPENSSL.EXE)

Then create an openssl.cnf section like this:

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = "C:\Windows\System32\opensc-pkcs11.dll"
MODULE_path = "C:\Users\whipp\junk4\ActivClient\acpkcs211.dll"
PIN = "0001password"
init = 0

and load that (see the EAP-TLS code for an example or read
  https://stackoverflow.com/questions/41119744/pkcs11-engine-for-openssl
for a similar question).

HTH,

JJK




On 2020-12-15 4:38 a.m., Jan Just Keijser wrote:
Hi,

On 14/12/20 21:01, George wrote:
Ok, so I am not actually going to populate EVP_PKEY with a private key in the callback function:
int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)?

Instead, I will call
EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data);
to get the EVP_PKEY, which will be used by OpenSSL to access the Smart Card.

Once I get  the resulting EVP_PKEY using ENGINE_load_private_key(...), how do I assign it to pkey in the callback function?
If I had private key I would use something like
EVP_PKEY_assign_RSA(..)
Since I don't actually have a private key, should I use something else?

like Michael pointed out, my  eap-tls code is just an example of how you could handle a pkcs11 device; it does not us a callback at all, but my code loads the client cert+key upfront and avoids having to use a client callback altogether.

I guess you could also use a client callback for this (perhaps in combination with SSL_CTX_set_client_cert_engine()) . In that case you would get the (pseudo) key from the engine like this
   EVP_PKEY *engine_key = ENGINE_load_private_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data);
and then set
  pkey = &engine_key;
and see if that works.
Note that the
ENGINE_load_private_key() function *does* return a EVP_PKEY struct but that does not mean the entire private key is contained in it; a private key consists of a modulus and a private part (exponent, prime1, prime2, exponent1, exponent2 etc). the ENGINE_load_private_key() call will return a struct containing the modulus but not the rest. You then use the engine to do the actual encryption and decryption.

HTH,

JJK






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux