private key not available for client_cert_cb

George whippet0 at gmail.com
Thu Dec 17 13:55:37 UTC 2020


Ok. So I use the libp11 project DLL file for the SO_PATH and my smart 
card middleware DLL for the MODULE_PATH when setting up the OpenSSL Engine?


Thanks,
George



On 2020-12-17 3:22 a.m., Jan Just Keijser wrote:
> Hi,
>
> On 16/12/20 20:26, George wrote:
>> Hi,
>>
>>    I've been looking at the code in the pppd EAP-TLS patch, but I 
>> can't seem to load the engine with the pkcs11 DLL. It is failing with 
>> the error:
>>
>> error:2507606A:DSO support routines:WIN32_BIND_FUNC:could not bind to 
>> the requested symbol name
>>
>> I've verified the path is correct.
>>
>> I am using OpenSSL1.0.2u with the FIPS Object Module 2.0.16 in 
>> Windows 10. Do I need to do anything special to allow loading of DLLs 
>> in OpenSSL?
>>
>> Here is what I am trying to do:
>>
>>     char* engine_name = 
>> "C:\\Users\\whipp\\junk4\\ActivClient\\acpkcs211.dll";
>>     ENGINE_load_builtin_engines();
>>     ENGINE_register_all_complete();
>>     ENGINE *pkey_engine = ENGINE_by_id("dynamic");
>>     ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", engine_name, 0);
>>     ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
>>     ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);
>>
>> Do you see anything wrong with this?
>>
>
> I forgot to mention that loading a PKCS11 driver from within OpenSSL 
> is a 2 stage rocket:
>
> first stage:  load the engine_pkcs11 module using
>
>     char* engine_name = "|C:\\Windows\\System32\\pkcs11.dll"|
>
> This is a separate piece of code and is part of the libp11 project:
> https://github.com/OpenSC/libp11
>
> (it also has a nice wiki that explains how to do it on the command 
> line using OPENSSL.EXE)
>
> Then create an openssl.cnf section like this:
>
> |openssl_conf = openssl_init [openssl_init] engines = engine_section 
> [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = 
> pkcs11 dynamic_path = "C:\Windows\System32\opensc-pkcs11.dll" 
> MODULE_path = "||C:\Users\whipp\junk4\ActivClient\acpkcs211.dll" PIN = "0001password" 
> init = 0|
>
> and load that (see the EAP-TLS code for an example or read
> https://stackoverflow.com/questions/41119744/pkcs11-engine-for-openssl
> for a similar question).
>
> HTH,
>
> JJK
>
>
>
>
>> On 2020-12-15 4:38 a.m., Jan Just Keijser wrote:
>>> Hi,
>>>
>>> On 14/12/20 21:01, George wrote:
>>>> Ok, so I am not actually going to populate EVP_PKEY with a private 
>>>> key in the callback function:
>>>> int (*client_cert_cb)(SSL *ssl, X509 **x509, *EVP_PKEY **pkey*)?
>>>>
>>>> Instead, I will call
>>>> EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, 
>>>> UI_METHOD *ui_method, void *callback_data);
>>>> to get the EVP_PKEY, which will be used by OpenSSL to access the 
>>>> Smart Card.
>>>>
>>>> Once I get the resulting EVP_PKEY using 
>>>> ENGINE_load_private_key(...), how do I assign it to pkey in the 
>>>> callback function?
>>>> If I had private key I would use something like
>>>> EVP_PKEY_assign_RSA(..)
>>>> Since I don't actually have a private key, should I use something else?
>>>>
>>> like Michael pointed out, my  eap-tls code is just an example of how 
>>> you could handle a pkcs11 device; it does not us a callback at all, 
>>> but my code loads the client cert+key upfront and avoids having to 
>>> use a client callback altogether.
>>>
>>> I guess you could also use a client callback for this (perhaps in 
>>> combination with SSL_CTX_set_client_cert_engine()) . In that case 
>>> you would get the (pseudo) key from the engine like this
>>>    EVP_PKEY *engine_key = ENGINE_load_private_key(ENGINE *e, const 
>>> char *key_id, UI_METHOD *ui_method, void *callback_data);
>>> and then set
>>>   pkey = &engine_key;
>>> and see if that works.
>>> Note that the ENGINE_load_private_key() function *does* return a 
>>> EVP_PKEY struct but that does not mean the entire private key is 
>>> contained in it; a private key consists of a modulus and a private 
>>> part (exponent, prime1, prime2, exponent1, exponent2 etc). the 
>>> ENGINE_load_private_key() call will return a struct containing the 
>>> modulus but not the rest. You then use the engine to do the actual 
>>> encryption and decryption.
>>>
>>> HTH,
>>>
>>> JJK
>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201217/6568af78/attachment-0001.html>


More information about the openssl-users mailing list