private key not available for client_cert_cb

Jan Just Keijser janjust at nikhef.nl
Mon Dec 14 08:51:14 UTC 2020 

Hi,

On 14/12/20 08:08, George wrote:
> Hi,
>
>    I'm new to OpenSSL and am trying to set up mutual authentication in 
> a client. The client is setup with OpenSSL 1.0.2u. and the client's 
> certificate + private key is stored on a Smart Card.  When the client 
> receives a certificate request from the server during the mutual 
> authentication handshake, the OpenSSL /client_cert_cb/ callback 
> function is automatically invoked. The problem is that 
> /client_cert_cb/ requires a private key. Unfortunately, it is not 
> possible to get a private key from a Smart Card. Is there a way to 
> send a certificate to the server without needing the private key?
>
> I'm setting up the callback function with:
>
> void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int 
> (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
>
>
> Here is a sample of what my code looks like when I set this up:
>
> SSL_CTX_set_client_cert_cb(context, 
> *openSSLClientAuthenticationCallBack*);
>
> int *openSSLClientAuthenticationCallBack*(SSL *ssl, X509 **x509, 
> EVP_PKEY **pkey)
> {
> . . .
> }
>
>
> I can access the Smart Card using the PKCS#11 interface and I'm able 
> to get the certificate and sign it, etc. However, I cannot get the 
> actual private key from the Smart Card.
>
> Does anyone know how I can get around this problem?
>

to use a pkcs#11 smartcard you normally use the OpenSSL pkcs11 engine ; 
you then do something like:

     engine_name = "pkcs11";
     ENGINE_register_all_complete();
     pkey_engine = ENGINE_by_id( "dynamic" );
     if (pkey_engine)
         {
             if (!ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", 
engine_name, 0)
              || !ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0))
             {
                 warn( "EAP-TLS: Error loading dynamic engine '%s'", 
engine_name );
                 log_ssl_errors();
                 ENGINE_free(e);
                 pkey_engine = NULL;
             }
         }
     }

     if (pkey_engine)
     {
         if(!ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL))
     }
     pkey_engine = eaptls_ssl_load_engine( "pkcs11" );
     pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, 
transfer_pin, &cb_data);
     SSL_CTX_use_PrivateKey(ctx, pkey);

where "transfer_pin" is a callback UI function to query the user for the 
pkcs11 device password.

More detailed code can be found in my pppd EAP-TLS patch, file eap-tls.c at
   https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c

(and search for pkey_engine)

HTH,

JJK

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201214/a124ef53/attachment-0001.html>

More information about the openssl-users mailing list