private key not available for client_cert_cb

Jan Just Keijser janjust at nikhef.nl
Fri Dec 18 01:39:46 UTC 2020


On 17/12/20 14:55, George wrote:
> Ok. So I use the libp11 project DLL file for the SO_PATH and my smart 
> card middleware DLL for the MODULE_PATH when setting up the OpenSSL 
> Engine?
>
>
yes just like in the example I posted below.

I would recommend the p11 wiki page to do it using the command line 
first - much easier to test & debug.

JJK

>
>
> On 2020-12-17 3:22 a.m., Jan Just Keijser wrote:
>> Hi,
>>
>> On 16/12/20 20:26, George wrote:
>>> Hi,
>>>
>>>    I've been looking at the code in the pppd EAP-TLS patch, but I 
>>> can't seem to load the engine with the pkcs11 DLL. It is failing 
>>> with the error:
>>>
>>> error:2507606A:DSO support routines:WIN32_BIND_FUNC:could not bind 
>>> to the requested symbol name
>>>
>>> I've verified the path is correct.
>>>
>>> I am using OpenSSL1.0.2u with the FIPS Object Module 2.0.16 in 
>>> Windows 10. Do I need to do anything special to allow loading of 
>>> DLLs in OpenSSL?
>>>
>>> Here is what I am trying to do:
>>>
>>>     char* engine_name = 
>>> "C:\\Users\\whipp\\junk4\\ActivClient\\acpkcs211.dll";
>>>     ENGINE_load_builtin_engines();
>>>     ENGINE_register_all_complete();
>>>     ENGINE *pkey_engine = ENGINE_by_id("dynamic");
>>>     ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", engine_name, 0);
>>>     ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
>>>     ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);
>>>
>>> Do you see anything wrong with this?
>>>
>>
>> I forgot to mention that loading a PKCS11 driver from within OpenSSL 
>> is a 2 stage rocket:
>>
>> first stage:  load the engine_pkcs11 module using
>>
>>     char* engine_name = "|C:\\Windows\\System32\\pkcs11.dll"|
>>
>> This is a separate piece of code and is part of the libp11 project:
>> https://github.com/OpenSC/libp11
>>
>> (it also has a nice wiki that explains how to do it on the command 
>> line using OPENSSL.EXE)
>>
>> Then create an openssl.cnf section like this:
>>
>> |openssl_conf = openssl_init [openssl_init] engines = engine_section 
>> [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = 
>> pkcs11 dynamic_path = "C:\Windows\System32\opensc-pkcs11.dll" 
>> MODULE_path = "||C:\Users\whipp\junk4\ActivClient\acpkcs211.dll" PIN = "0001password" 
>> init = 0|
>>
>> and load that (see the EAP-TLS code for an example or read
>> https://stackoverflow.com/questions/41119744/pkcs11-engine-for-openssl
>> for a similar question).
>>
>> HTH,
>>
>> JJK
>>
>>
>>
>>
>>> On 2020-12-15 4:38 a.m., Jan Just Keijser wrote:
>>>> Hi,
>>>>
>>>> On 14/12/20 21:01, George wrote:
>>>>> Ok, so I am not actually going to populate EVP_PKEY with a private 
>>>>> key in the callback function:
>>>>> int (*client_cert_cb)(SSL *ssl, X509 **x509, *EVP_PKEY **pkey*)?
>>>>>
>>>>> Instead, I will call
>>>>> EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, 
>>>>> UI_METHOD *ui_method, void *callback_data);
>>>>> to get the EVP_PKEY, which will be used by OpenSSL to access the 
>>>>> Smart Card.
>>>>>
>>>>> Once I get the resulting EVP_PKEY using 
>>>>> ENGINE_load_private_key(...), how do I assign it to pkey in the 
>>>>> callback function?
>>>>> If I had private key I would use something like
>>>>> EVP_PKEY_assign_RSA(..)
>>>>> Since I don't actually have a private key, should I use something 
>>>>> else?
>>>>>
>>>> like Michael pointed out, my  eap-tls code is just an example of 
>>>> how you could handle a pkcs11 device; it does not us a callback at 
>>>> all, but my code loads the client cert+key upfront and avoids 
>>>> having to use a client callback altogether.
>>>>
>>>> I guess you could also use a client callback for this (perhaps in 
>>>> combination with SSL_CTX_set_client_cert_engine()) . In that case 
>>>> you would get the (pseudo) key from the engine like this
>>>>    EVP_PKEY *engine_key = ENGINE_load_private_key(ENGINE *e, const 
>>>> char *key_id, UI_METHOD *ui_method, void *callback_data);
>>>> and then set
>>>>   pkey = &engine_key;
>>>> and see if that works.
>>>> Note that the ENGINE_load_private_key() function *does* return a 
>>>> EVP_PKEY struct but that does not mean the entire private key is 
>>>> contained in it; a private key consists of a modulus and a private 
>>>> part (exponent, prime1, prime2, exponent1, exponent2 etc). the 
>>>> ENGINE_load_private_key() call will return a struct containing the 
>>>> modulus but not the rest. You then use the engine to do the actual 
>>>> encryption and decryption.
>>>>
>>>> HTH,
>>>>
>>>> JJK
>>>>
>>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201218/810695ce/attachment-0001.html>


More information about the openssl-users mailing list