|
Hi,
On 19/12/20 04:48, George wrote:
Hi,
I narrowed the problem down to
ENGINE_set_default(pkey_engine,
ENGINE_METHOD_ALL)
This causes the initial exception
Exception thrown at 0x757346D2 in
GENCom.exe: Microsoft C++ exception: unsigned long at memory
location 0x006FCD68.
It looks like some of the Engine methods cause an exception, but
not all of them:
Works:
ENGINE_METHOD_CIPHERS
ENGINE_METHOD_DIGESTS
ENGINE_METHOD_DSA
ENGINE_METHOD_DH
ENGINE_METHOD_RAND
ENGINE_METHOD_PKEY_ASN1_METHS
Causes An Exception:
ENGINE_METHOD_RSA
ENGINE_METHOD_ECDH
ENGINE_METHOD_ECDSA
ENGINE_METHOD_PKEY_METHS
Is that normal behaviour, or is something wrong? Is there a way
to find the supported engine methods to avoid triggering an
exception?
I'd say no engine/pkcs11 module should trigger exceptions - that's
an error in the pkcs11 module.
Something you can try is this:
run the 'openssl.exe' command:
openssl engine -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll"
then on the OpenSSL prompt , try
s_client -keyform engine -key 0:<key-id> -cert
"clientcert.pem" -connect remote_host:remote_port
that should start a TLS connection and use the pcks11 engine to ask
for the key , identified by <key-id> in slot 0 (adjust the
slot number if your smart card starts at number 1 etc.
HTH,
JJK
It seems like alot of other smaple
code I have looked at calls
ENGINE_init(pkey_engine);
Is the needed? When I call it, it always returns with
"0". Should it be returning with "1"?
I did some testing in the OpenSSL command line, and here is what
I found:
- The command line "speed" test appears to be fine:
OpenSSL> speed -engine
pkcs11
engine "pkcs11" set.
Doing mdc2 for 3s on 16 size blocks: 2688737 mdc2's in
2.98s
Doing mdc2 for 3s on 64 size blocks: 880529 mdc2's in
3.00s
Doing mdc2 for 3s on 256 size blocks: 240916 mdc2's in
2.98s
Doing mdc2 for 3s on 1024 size blocks: 61287 mdc2's in
3.00s
Doing mdc2 for 3s on 8192 size blocks: 7774 mdc2's in
2.98s
.
.
.
- I also tried the following, which successfully created the
PEM files:
OpenSSL>
req -engine pkcs11 -new -key
"pkcs11:object=Authentication -
*;type=private;pin-value=123456" -keyform engine -out
req2.pem -text -x509 -subj "/CN=*"
OpenSSL>
x509 -engine pkcs11 -signkey
"pkcs11:object=Authentication -
*;type=private;pin-value=123456" -keyform engine -in
req2.pem -out cert2.pem
Thanks,
George
On 2020-12-18 3:40 a.m., Jan Just Keijser wrote:
Hi,
On 18/12/20 06:21, George wrote:
Hi,
I'm able to setup the engine now, but as soon as I attempt
to execute the command
ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
,I see all kinds of middleware exceptions being generated:
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: unsigned long at memory location 0x07FCFA00.
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0.
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0.
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0.
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0.
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0.
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0.
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0.
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0.
.
.
.
Do you have any idea what is causing these errors? Am I
missing something in the configuration? When I use the OpenSSL
command line debugger, there are no errors:
OpenSSL> engine -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll"
(dynamic) Dynamic engine loading support
[Success]:
SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll
Loaded: (pkcs11) pkcs11 engine
[ available ]
OpenSSL>
Here is what my simplified code looks like:
char* enginePluginLibrary =
"C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll";
char* pkcs11MiddlewareLibrary = "C:\\Program Files (x86)\\HID
Global\\ActivClient\\acpkcs211.dll";
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
ENGINE *pkey_engine = ENGINE_by_id("dynamic");
ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH",
enginePluginLibrary, 0);
ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
ENGINE_ctrl_cmd_string(pkey_engine, "LIST_ADD", "1", 0);
ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);
ENGINE_ctrl_cmd_string(pkey_engine, "MODULE_PATH",
pkcs11MiddlewareLibrary, 0);
ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
main difference between the OPENSSL.EXE example and your code is
that last call:
here's wat "ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)"
does:
int ENGINE_set_default(ENGINE *e, unsigned int flags)
{
if ((flags & ENGINE_METHOD_CIPHERS) &&
!ENGINE_set_default_ciphers(e))
return 0;
if ((flags & ENGINE_METHOD_DIGESTS) &&
!ENGINE_set_default_digests(e))
return 0;
#ifndef OPENSSL_NO_RSA
if ((flags & ENGINE_METHOD_RSA) &&
!ENGINE_set_default_RSA(e))
return 0;
#endif
#ifndef OPENSSL_NO_DSA
if ((flags & ENGINE_METHOD_DSA) &&
!ENGINE_set_default_DSA(e))
return 0;
#endif
#ifndef OPENSSL_NO_DH
if ((flags & ENGINE_METHOD_DH) &&
!ENGINE_set_default_DH(e))
return 0;
#endif
#ifndef OPENSSL_NO_ECDH
if ((flags & ENGINE_METHOD_ECDH) &&
!ENGINE_set_default_ECDH(e))
return 0;
#endif
#ifndef OPENSSL_NO_ECDSA
if ((flags & ENGINE_METHOD_ECDSA) &&
!ENGINE_set_default_ECDSA(e))
return 0;
#endif
if ((flags & ENGINE_METHOD_RAND) &&
!ENGINE_set_default_RAND(e))
return 0;
if ((flags & ENGINE_METHOD_PKEY_METHS)
&& !ENGINE_set_default_pkey_meths(e))
return 0;
if ((flags & ENGINE_METHOD_PKEY_ASN1_METHS)
&& !ENGINE_set_default_pkey_asn1_meths(e))
return 0;
return 1;
}
(from the openssl 1.0.2 source tree)
It could be that one of those methods is not throwing the errors
with your smart card.
I'd advise you to test your smart card capabilities . It might
also be useful to do more command line testing with your
smartcard using
engine -vvvv -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll"
and then try out certain operations, like encrypt/decrypt or
simply use the command
speed
and watch for any errors - that should give you a hint which
method is not supported by your smart card.
HTH,
JJK
|
