private key not available for client_cert_cb

George whippet0 at gmail.com
Mon Dec 14 15:15:18 UTC 2020


Hi Jan,

    Thanks for your response. It looks like I don't already have the PPP 
and PPPD. Do I need to download and install the following?
https://github.com/jjkeijser/ppp/tree/eap-tls

I am using OpenSSL in Windows 10 and compiled it with Visual Studio 
2019. Will this EAP-TLS code compile/work with Visual Studio in Windows?

Are there any other ways to get the Smart Card to work without needing 
to install additional software?


Thanks!
George



On 2020-12-14 3:51 a.m., Jan Just Keijser wrote:
> Hi,
>
> On 14/12/20 08:08, George wrote:
>> Hi,
>>
>>    I'm new to OpenSSL and am trying to set up mutual authentication 
>> in a client. The client is setup with OpenSSL 1.0.2u. and the 
>> client's certificate + private key is stored on a Smart Card.  When 
>> the client receives a certificate request from the server during the 
>> mutual authentication handshake, the OpenSSL /client_cert_cb/ 
>> callback function is automatically invoked. The problem is that 
>> /client_cert_cb/ requires a private key. Unfortunately, it is not 
>> possible to get a private key from a Smart Card. Is there a way to 
>> send a certificate to the server without needing the private key?
>>
>> I'm setting up the callback function with:
>>
>> void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int 
>> (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
>>
>>
>> Here is a sample of what my code looks like when I set this up:
>>
>> SSL_CTX_set_client_cert_cb(context, 
>> *openSSLClientAuthenticationCallBack*);
>>
>> int *openSSLClientAuthenticationCallBack*(SSL *ssl, X509 **x509, 
>> EVP_PKEY **pkey)
>> {
>> . . .
>> }
>>
>>
>> I can access the Smart Card using the PKCS#11 interface and I'm able 
>> to get the certificate and sign it, etc. However, I cannot get the 
>> actual private key from the Smart Card.
>>
>> Does anyone know how I can get around this problem?
>>
>
> to use a pkcs#11 smartcard you normally use the OpenSSL pkcs11 engine 
> ; you then do something like:
>
>     engine_name = "pkcs11";
>     ENGINE_register_all_complete();
>     pkey_engine = ENGINE_by_id( "dynamic" );
>     if (pkey_engine)
>         {
>             if (!ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", 
> engine_name, 0)
>              || !ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0))
>             {
>                 warn( "EAP-TLS: Error loading dynamic engine '%s'", 
> engine_name );
>                 log_ssl_errors();
>                 ENGINE_free(e);
>                 pkey_engine = NULL;
>             }
>         }
>     }
>
>     if (pkey_engine)
>     {
>         if(!ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL))
>     }
>     pkey_engine = eaptls_ssl_load_engine( "pkcs11" );
>     pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, 
> transfer_pin, &cb_data);
>     SSL_CTX_use_PrivateKey(ctx, pkey);
>
> where "transfer_pin" is a callback UI function to query the user for 
> the pkcs11 device password.
>
> More detailed code can be found in my pppd EAP-TLS patch, file 
> eap-tls.c at
> https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c
>
> (and search for pkey_engine)
>
> HTH,
>
> JJK
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201214/483e4c41/attachment.html>


More information about the openssl-users mailing list