ODP: CSR generation using pkcs11 token engine from C# code

[Piotr Lobacz <piotr.lobacz@xxxxxxxxxxxx>]

Ok i am trying to use this code:

TokenEngine::TokenEngine( const StringList & modulePaths )

{

    ENGINE * tok = ENGINE_by_id( "pkcs11" );

    if ( ! tok )

        throw Exception( "token: unable to get engine" );

    m_pEngine = tok;

    const string modulePath( findFirstExisting( modulePaths ) );

    if ( modulePath.empty() )

        throw Exception( "token: unable to find module path" );

    DEBUG( "token: ctor: module_path=" << QS( modulePath ) );

    if ( 1 != ENGINE_ctrl_cmd_string( tok, "MODULE_PATH", modulePath.c_str(), CMD_MANDATORY ) )

        throw Exception( "token: setting module_path <= " + QS( modulePath ) );

    DEBUG( "token: ctor: initializing " << m_pEngine );

    if ( 1 != ENGINE_init( tok ) )

        throw Exception( "token: unable to initialize" );

    DEBUG( "token: ctor: done" );

}

which is from this site https://github.com/tkil/openssl-pkcs11-samples/blob/master/OpenSSLWrappers.cpp and the problem is that if i change modulePath value to a not existing file the method is still returning 1 which i think it should not. Correct me if i'm wrong.

BR

Piotr

---

Od: Michael McKenney <mike.mckenney@xxxxxxxxxxxxxxxx>
Wysłane: poniedziałek, 24 maja 2021 14:17
Do: Piotr Lobacz <piotr.lobacz@xxxxxxxxxxxx>; openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Temat: RE: CSR generation using pkcs11 token engine from C# code

 

Usually I reserve C# for Windows servers.   I use PHP on Ubuntu other Linux Distros.    Most web servers that need OpenSSL are Linux.   Glad you got it working.    

 

From: Piotr Lobacz <piotr.lobacz@xxxxxxxxxxxx>
Sent: Monday, May 24, 2021 8:10 AM
To: Michael McKenney <mike.mckenney@xxxxxxxxxxxxxxxx>; openssl-users@xxxxxxxxxxx
Subject: ODP: CSR generation using pkcs11 token engine from C# code

 

Hi Michael,

thx for your quick reply. Unfortunately i can't use your script because i need to use native code not bash implementation.

 

For the first question about loading token module i have found a solution on github https://github.com/tkil/openssl-pkcs11-samples . This code is a C/C++ code but i can fairly port it to C#, and i was right about different load of engine for pkcs11 engine. So this can be closed.

 

Another thing is to generate CSR with the usage of token and openssl. This will be more complicated and i don't know yet how to do that.

 

BR

Piotr

 

---

Od: Michael McKenney <mike.mckenney@xxxxxxxxxxxxxxxx>
Wysłane: poniedziałek, 24 maja 2021 13:28
Do: Piotr Lobacz <piotr.lobacz@xxxxxxxxxxxx>; openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Temat: RE: CSR generation using pkcs11 token engine from C# code

 

I wrote this script years ago when I switched to Godaddy 10 site  certificates.   I don't use it from C#   You could easily put it into C# or PHP.   <  >  would be variables at the top.   I have it filled in so I just modify the alt_names.   I just cut and paste the all of it into Ubuntu and run it in the directory  /etc/apache2/ssl.   If you don't need all 10, you can delete the extra ones in alt_names.  


openssl req -new -sha256 -nodes -out \<crs_name.csr> -newkey rsa:2048 -keyout \<your key name.key> -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C= < country >
ST= < Your States >
L= < City or location >
O= < Organization >
OU= <Organizational Unit >
emailAddress= <your email>
CN = <The common name of the cert>

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = < domain #1 >
DNS.2 = < domain #2 >
DNS.3 = < domain #3 >
DNS.4 = < domain #4 >
DNS.5 = < domain #5 >
DNS.6 = < domain #6 >
DNS.7 = < domain #7 >
DNS.8 = < domain #8 >
DNS.9 = < domain #9 >
EOF
)






-----Original Message-----
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Piotr Lobacz
Sent: Monday, May 24, 2021 5:54 AM
To: openssl-users@xxxxxxxxxxx
Subject: CSR generation using pkcs11 token engine from C# code

Hi all,
i am currently trying to generate CSR with the usage of tpm2-pkcs11 module together with pkcs11 engine from opensc and the whole thing running with openssl api from C# code.

I have checked that my solution works from command line. I have added these lines:

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH = /usr/lib/libtpm2_pkcs11.so init = 0

to the /etc/ssl/openssl.cnf configuration file and than this command:

openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256 -engine pkcs11 -keyform engine -key "pkcs11:token=foo;object=tls;type=private;pin-value=1234567890"

produces CSR for me.

Now i want to do all this, from C# code. I have found a C# library https://github.com/andyhopp/OpenSsl.DynamicEngine which will load the engine, but i think that this won't be sufficient in a matter of pkcs11 engine, because i also need to load pkcs11 module. The question is what should i add to this library for propper work in means of pkcs11 api? What i mean is to use all this data from cnf file to configure openssl. Another question is how to execute this command above for csr from C#? I suspect that because on linux C# sdk uses openssl api for all cryptographic operations than it should be somehow similar to the C solution. I would be gratefull if someone could point me at least for a C solution of this issue.

Best regards
Piotr Lobacz
[https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com>

Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 0000674406, NIP: 9581679801, REGON: 367090912

www.softgent.com

Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego

KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.