private key not available for client_cert_cb
Jan Just Keijser
janjust at nikhef.nl
Thu Dec 17 08:22:08 UTC 2020
Hi,
On 16/12/20 20:26, George wrote:
> Hi,
>
> I've been looking at the code in the pppd EAP-TLS patch, but I
> can't seem to load the engine with the pkcs11 DLL. It is failing with
> the error:
>
> error:2507606A:DSO support routines:WIN32_BIND_FUNC:could not bind to
> the requested symbol name
>
> I've verified the path is correct.
>
> I am using OpenSSL1.0.2u with the FIPS Object Module 2.0.16 in
> Windows 10. Do I need to do anything special to allow loading of DLLs
> in OpenSSL?
>
> Here is what I am trying to do:
>
> char* engine_name =
> "C:\\Users\\whipp\\junk4\\ActivClient\\acpkcs211.dll";
> ENGINE_load_builtin_engines();
> ENGINE_register_all_complete();
> ENGINE *pkey_engine = ENGINE_by_id("dynamic");
> ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", engine_name, 0);
> ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
> ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);
>
> Do you see anything wrong with this?
>
I forgot to mention that loading a PKCS11 driver from within OpenSSL is
a 2 stage rocket:
first stage: load the engine_pkcs11 module using
char* engine_name = "|C:\\Windows\\System32\\pkcs11.dll"|
This is a separate piece of code and is part of the libp11 project:
https://github.com/OpenSC/libp11
(it also has a nice wiki that explains how to do it on the command line
using OPENSSL.EXE)
Then create an openssl.cnf section like this:
|openssl_conf = openssl_init [openssl_init] engines = engine_section
[engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id =
pkcs11 dynamic_path = "C:\Windows\System32\opensc-pkcs11.dll"
MODULE_path = "||C:\Users\whipp\junk4\ActivClient\acpkcs211.dll" PIN = "0001password"
init = 0|
and load that (see the EAP-TLS code for an example or read
https://stackoverflow.com/questions/41119744/pkcs11-engine-for-openssl
for a similar question).
HTH,
JJK
> On 2020-12-15 4:38 a.m., Jan Just Keijser wrote:
>> Hi,
>>
>> On 14/12/20 21:01, George wrote:
>>> Ok, so I am not actually going to populate EVP_PKEY with a private
>>> key in the callback function:
>>> int (*client_cert_cb)(SSL *ssl, X509 **x509, *EVP_PKEY **pkey*)?
>>>
>>> Instead, I will call
>>> EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
>>> UI_METHOD *ui_method, void *callback_data);
>>> to get the EVP_PKEY, which will be used by OpenSSL to access the
>>> Smart Card.
>>>
>>> Once I get the resulting EVP_PKEY using
>>> ENGINE_load_private_key(...), how do I assign it to pkey in the
>>> callback function?
>>> If I had private key I would use something like
>>> EVP_PKEY_assign_RSA(..)
>>> Since I don't actually have a private key, should I use something else?
>>>
>> like Michael pointed out, my eap-tls code is just an example of how
>> you could handle a pkcs11 device; it does not us a callback at all,
>> but my code loads the client cert+key upfront and avoids having to
>> use a client callback altogether.
>>
>> I guess you could also use a client callback for this (perhaps in
>> combination with SSL_CTX_set_client_cert_engine()) . In that case you
>> would get the (pseudo) key from the engine like this
>> EVP_PKEY *engine_key = ENGINE_load_private_key(ENGINE *e, const
>> char *key_id, UI_METHOD *ui_method, void *callback_data);
>> and then set
>> pkey = &engine_key;
>> and see if that works.
>> Note that the ENGINE_load_private_key() function *does* return a
>> EVP_PKEY struct but that does not mean the entire private key is
>> contained in it; a private key consists of a modulus and a private
>> part (exponent, prime1, prime2, exponent1, exponent2 etc). the
>> ENGINE_load_private_key() call will return a struct containing the
>> modulus but not the rest. You then use the engine to do the actual
>> encryption and decryption.
>>
>> HTH,
>>
>> JJK
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201217/c2d2ef0b/attachment-0001.html>
More information about the openssl-users
mailing list