Hi Ladislav, your provider needs to implement an OSSL_STORE provider functionality with a special URI scheme that will be recognized by your provider. The certificate and the private key then needs to be loaded by using the OSSL_STORE API which will call your provider store implementation if the URI scheme matches. The SSL_CTX_load_verify_store() purpose is to load a trusted store of CA certificates to verify the server's certificate. It is not related to client certificate authentication. You need to load the client certificate using the OSSL_STORE API and then set it to the SSL_CTX via SSL_CTX_use_certificate(). Similarly for the private key. Tomas Mraz, OpenSSL On Mon, 2023-02-06 at 18:29 +0100, Ladislav Marko wrote: > Dear OpenSSL users, > > I'm currently developing an OpenSSL provider (so I'm using OpenSSL > versions 3.0 and newer, currently self compiled 3.1.0-beta2-dev). One > key feature of the provider will be providing client certificates > (from > my providers store) to servers upon request during TLS. > > I've implemented decoder, keymgmt, signature and store > functionalities. > > To quote documentation from `SSL_CTX_set_client_cert_cb`, "When a > certificate was set using the SSL_CTX_use_certificate(3) family of > functions, it will be sent to the server.". I've used > `SSL_CTX_load_verify_store()` which I believe suffices. > > Unfortunately none of my functions get called afterward when dealing > with the client certificate. And by that I mean that my store isn't > opened to see if I have matching certificates. > > I've tried to circumvent this behavior with > `SSL_CTX_set_client_cert_cb()` where I load the certificate and key > manually, but to no avail. None of my implemented functions get > called > and when looking at the stack trace I get lost really fast since > there > is some caching happening. I'm suspicious that my functions don't get > called in this case because I have not implemented digest > functionalities. Since the last trace output I get is "Using client > verify alg SHA2-256". (Although I get that output even when not using > custom client certificate callback). > > So my question is: What needs to be implemented/changed/called so > OpenSSL will use certificates from my providers store as client > certificates? > > Any help would be strongly appreciated. > Ladislav Marko > -- Tomáš Mráz, OpenSSL
