private key not available for client_cert_cb

George whippet0 at gmail.com
Wed Dec 16 19:26:59 UTC 2020 

Hi,

    I've been looking at the code in the pppd EAP-TLS patch, but I can't 
seem to load the engine with the pkcs11 DLL. It is failing with the error:

error:2507606A:DSO support routines:WIN32_BIND_FUNC:could not bind to 
the requested symbol name

I've verified the path is correct.

I am using OpenSSL1.0.2u with the FIPS Object Module 2.0.16  in Windows 
10. Do I need to do anything special to allow loading of DLLs in OpenSSL?

Here is what I am trying to do:

     char* engine_name = 
"C:\\Users\\whipp\\junk4\\ActivClient\\acpkcs211.dll";
     ENGINE_load_builtin_engines();
     ENGINE_register_all_complete();
     ENGINE *pkey_engine = ENGINE_by_id("dynamic");
     ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", engine_name, 0);
     ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
     ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);

Do you see anything wrong with this?


Thanks,
George

On 2020-12-15 4:38 a.m., Jan Just Keijser wrote:
> Hi,
>
> On 14/12/20 21:01, George wrote:
>> Ok, so I am not actually going to populate EVP_PKEY with a private 
>> key in the callback function:
>> int (*client_cert_cb)(SSL *ssl, X509 **x509, *EVP_PKEY **pkey*)?
>>
>> Instead, I will call
>> EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, 
>> UI_METHOD *ui_method, void *callback_data);
>> to get the EVP_PKEY, which will be used by OpenSSL to access the 
>> Smart Card.
>>
>> Once I get the resulting EVP_PKEY using ENGINE_load_private_key(...), 
>> how do I assign it to pkey in the callback function?
>> If I had private key I would use something like
>> EVP_PKEY_assign_RSA(..)
>> Since I don't actually have a private key, should I use something else?
>>
> like Michael pointed out, my  eap-tls code is just an example of how 
> you could handle a pkcs11 device; it does not us a callback at all, 
> but my code loads the client cert+key upfront and avoids having to use 
> a client callback altogether.
>
> I guess you could also use a client callback for this (perhaps in 
> combination with SSL_CTX_set_client_cert_engine()) . In that case you 
> would get the (pseudo) key from the engine like this
>    EVP_PKEY *engine_key = ENGINE_load_private_key(ENGINE *e, const 
> char *key_id, UI_METHOD *ui_method, void *callback_data);
> and then set
>   pkey = &engine_key;
> and see if that works.
> Note that the ENGINE_load_private_key() function *does* return a 
> EVP_PKEY struct but that does not mean the entire private key is 
> contained in it; a private key consists of a modulus and a private 
> part (exponent, prime1, prime2, exponent1, exponent2 etc). the 
> ENGINE_load_private_key() call will return a struct containing the 
> modulus but not the rest. You then use the engine to do the actual 
> encryption and decryption.
>
> HTH,
>
> JJK
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201216/547d72df/attachment.html>

More information about the openssl-users mailing list