|
Hi,
On 20/12/20 09:39, George wrote:
Hi,
I tried running the "s_client" command and it appears to be
working.
I guess there must be something wrong in my code.
it is good news that the s_client command is working - it means
there is something wrong with your code but you have everything at
hand to fix it: download the openssl 1.0.2 tarball / zip file and
look for the files
apps/s_client.c
apps/apps.c
that contains all of the code that the 's_client' command uses to
make a connection and my bet is that is also does not call
ENGINE_init
My crash occurs when I call
ENGINE_init(pkey_engine);
I notice your code does not call this function. Is this needed
needed? If so, when/where should it be called?
tbh, I don't know - look through the openssl sources to see what it
does, exactly.
What exactly is the definition of
"pkey_identifier" in
ENGINE_load_private_key(pkey_engine,
pkey_identifier, transfer_pin, &cb_data) ?
I'm not clear on what this value should be. Can you give an
example of what it would look like?
I have the following on my smart card:
Private Key Object; RSA
label: Authentication - *
ID:
2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba
Usage: unwrap
Access: sensitive, never extractable
Allowed mechanisms: RSA-PKCS,RSA-X-509
Would the pkey_identifier
be the ID in the above?
yes, although if you have multiple smartcards inserted at the same
time then it helps to add the slot number, e.g.
0:<ID>
What exactly is "prompt_info" in the structure PW_CB_DATA?
i.e.
typedef struct pw_cb_data {
const void* password;
const char* prompt_info;
} PW_CB_DATA;
Can you give an example of what it might look like?
Is the value of cb_data populated by the transfer_pin
callback functions, or should it already contain a value
when ENGINE_load_private_key is
called?
Is there a way to skip the callback transfer_pin and use a hard
coded pin for test purposes when calling ENGINE_load_private_key(...)?
my eap-tls code does just that: if the password is specified in the
ppp config file then the user is not prompted:
if (pkey_engine)
{
EVP_PKEY *pkey = NULL;
PW_CB_DATA cb_data;
UI_METHOD* transfer_pin = NULL;
cb_data.password = passwd;
cb_data.prompt_info = pkey_identifier;
HTH,
JJK
On 2020-12-19 8:05 p.m., Jan Just Keijser wrote:
I'd say no engine/pkcs11 module should trigger exceptions -
that's an error in the pkcs11 module.
Something you can try is this:
run the 'openssl.exe' command:
openssl engine -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll"
then on the OpenSSL prompt , try
s_client -keyform engine -key 0:<key-id> -cert
"clientcert.pem" -connect remote_host:remote_port
that should start a TLS connection and use the pcks11 engine to
ask for the key , identified by <key-id> in slot 0 (adjust
the slot number if your smart card starts at number 1 etc.
HTH,
JJK
|
