private key not available for client_cert_cb

George whippet0 at gmail.com
Sat Dec 19 03:48:39 UTC 2020


Hi,

   I narrowed the problem down to
ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)

This causes the initial exception
Exception thrown at 0x757346D2 in GENCom.exe: Microsoft C++ exception: 
unsigned long at memory location 0x006FCD68.

It looks like some of the Engine methods cause an exception, but not all 
of them:
*
Works:*
ENGINE_METHOD_CIPHERS
ENGINE_METHOD_DIGESTS
ENGINE_METHOD_DSA
ENGINE_METHOD_DH
ENGINE_METHOD_RAND
ENGINE_METHOD_PKEY_ASN1_METHS

*Causes An Exception:*
ENGINE_METHOD_RSA
ENGINE_METHOD_ECDH
ENGINE_METHOD_ECDSA
ENGINE_METHOD_PKEY_METHS


Is that normal behaviour, or is something wrong? Is there a way to find 
the supported engine methods to avoid triggering an exception?

It seems like alot of other smaple code I have looked at calls
ENGINE_init(pkey_engine);

Is the needed? When I call it, it always returns with "0". Should it be 
returning with "1"?

I did some testing in the OpenSSL command line, and here is what I found:

    - The command line "speed" test appears to be fine:

        OpenSSL> speed -engine pkcs11
        engine "pkcs11" set.
        Doing mdc2 for 3s on 16 size blocks: 2688737 mdc2's in 2.98s
        Doing mdc2 for 3s on 64 size blocks: 880529 mdc2's in 3.00s
        Doing mdc2 for 3s on 256 size blocks: 240916 mdc2's in 2.98s
        Doing mdc2 for 3s on 1024 size blocks: 61287 mdc2's in 3.00s
        Doing mdc2 for 3s on 8192 size blocks: 7774 mdc2's in 2.98s
        .
        .
        .

    -  I also tried the following, which successfully created the PEM files:

        OpenSSL> req -engine pkcs11 -new -key
        "pkcs11:object=Authentication - *;type=private;pin-value=123456"
        -keyform engine -out req2.pem -text -x509 -subj "/CN=*"
        OpenSSL> x509 -engine pkcs11 -signkey
        "pkcs11:object=Authentication - *;type=private;pin-value=123456"
        -keyform engine -in req2.pem -out cert2.pem





Thanks,
George


On 2020-12-18 3:40 a.m., Jan Just Keijser wrote:
> Hi,
>
> On 18/12/20 06:21, George wrote:
>> Hi,
>>
>>    I'm able to setup the engine now, but as soon as I attempt to 
>> execute the command
>> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
>> ,I see all kinds of middleware exceptions being generated:
>>
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>> exception: unsigned long at memory location 0x07FCFA00.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> .
>> .
>> .
>>
>>
>> Do you have any idea what is causing these errors? Am I missing 
>> something in the configuration? When I use the OpenSSL command line 
>> debugger, there are no errors:
>>
>> OpenSSL> engine -t dynamic -pre 
>> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" 
>> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program 
>> Files (x86)\HID Global\ActivClient\\acpkcs211.dll"
>> (dynamic) Dynamic engine loading support
>> [Success]: 
>> SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:C:\Program Files (x86)\HID 
>> Global\ActivClient\\acpkcs211.dll
>> Loaded: (pkcs11) pkcs11 engine
>>      [ available ]
>> OpenSSL>
>>
>>
>> Here is what my simplified code looks like:
>>
>> char* enginePluginLibrary = 
>> "C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll";
>> char* pkcs11MiddlewareLibrary = "C:\\Program Files (x86)\\HID 
>> Global\\ActivClient\\acpkcs211.dll";
>> ENGINE_load_builtin_engines();
>> ENGINE_register_all_complete();
>> ENGINE *pkey_engine = ENGINE_by_id("dynamic");
>>
>> ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", enginePluginLibrary, 0);
>> ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
>> ENGINE_ctrl_cmd_string(pkey_engine, "LIST_ADD", "1", 0);
>> ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);
>> ENGINE_ctrl_cmd_string(pkey_engine, "MODULE_PATH", 
>> pkcs11MiddlewareLibrary, 0);
>> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
>>
>>
> main difference between the OPENSSL.EXE example and your code is that 
> last call:
>
> here's wat "ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)" does:
>
>
> int ENGINE_set_default(ENGINE *e, unsigned int flags)
> {
>     if ((flags & ENGINE_METHOD_CIPHERS) && 
> !ENGINE_set_default_ciphers(e))
>         return 0;
>     if ((flags & ENGINE_METHOD_DIGESTS) && 
> !ENGINE_set_default_digests(e))
>         return 0;
> #ifndef OPENSSL_NO_RSA
>     if ((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e))
>         return 0;
> #endif
> #ifndef OPENSSL_NO_DSA
>     if ((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e))
>         return 0;
> #endif
> #ifndef OPENSSL_NO_DH
>     if ((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
>         return 0;
> #endif
> #ifndef OPENSSL_NO_ECDH
>     if ((flags & ENGINE_METHOD_ECDH) && !ENGINE_set_default_ECDH(e))
>         return 0;
> #endif
> #ifndef OPENSSL_NO_ECDSA
>     if ((flags & ENGINE_METHOD_ECDSA) && !ENGINE_set_default_ECDSA(e))
>         return 0;
> #endif
>     if ((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
>         return 0;
>     if ((flags & ENGINE_METHOD_PKEY_METHS)
>         && !ENGINE_set_default_pkey_meths(e))
>         return 0;
>     if ((flags & ENGINE_METHOD_PKEY_ASN1_METHS)
>         && !ENGINE_set_default_pkey_asn1_meths(e))
>         return 0;
>     return 1;
> }
>
> (from the openssl 1.0.2 source tree)
> It could be that one of those methods is not throwing the errors with 
> your smart card.
> I'd advise you to test your smart card capabilities . It might also be 
> useful to do more command line testing with your smartcard using
>
>   engine -vvvv -t dynamic -pre 
> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" 
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program 
> Files (x86)\HID Global\ActivClient\\acpkcs211.dll"
>
> and then try out certain operations, like encrypt/decrypt or simply 
> use the command
>   speed
>
> and watch for any errors - that should give you a hint which method is 
> not supported by your smart card.
>
> HTH,
>
> JJK
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201218/8f83179e/attachment.html>


More information about the openssl-users mailing list