private key not available for client_cert_cb
George
whippet0 at gmail.com
Sat Dec 19 03:48:39 UTC 2020
Hi,
I narrowed the problem down to
ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)
This causes the initial exception
Exception thrown at 0x757346D2 in GENCom.exe: Microsoft C++ exception:
unsigned long at memory location 0x006FCD68.
It looks like some of the Engine methods cause an exception, but not all
of them:
*
Works:*
ENGINE_METHOD_CIPHERS
ENGINE_METHOD_DIGESTS
ENGINE_METHOD_DSA
ENGINE_METHOD_DH
ENGINE_METHOD_RAND
ENGINE_METHOD_PKEY_ASN1_METHS
*Causes An Exception:*
ENGINE_METHOD_RSA
ENGINE_METHOD_ECDH
ENGINE_METHOD_ECDSA
ENGINE_METHOD_PKEY_METHS
Is that normal behaviour, or is something wrong? Is there a way to find
the supported engine methods to avoid triggering an exception?
It seems like alot of other smaple code I have looked at calls
ENGINE_init(pkey_engine);
Is the needed? When I call it, it always returns with "0". Should it be
returning with "1"?
I did some testing in the OpenSSL command line, and here is what I found:
- The command line "speed" test appears to be fine:
OpenSSL> speed -engine pkcs11
engine "pkcs11" set.
Doing mdc2 for 3s on 16 size blocks: 2688737 mdc2's in 2.98s
Doing mdc2 for 3s on 64 size blocks: 880529 mdc2's in 3.00s
Doing mdc2 for 3s on 256 size blocks: 240916 mdc2's in 2.98s
Doing mdc2 for 3s on 1024 size blocks: 61287 mdc2's in 3.00s
Doing mdc2 for 3s on 8192 size blocks: 7774 mdc2's in 2.98s
.
.
.
- I also tried the following, which successfully created the PEM files:
OpenSSL> req -engine pkcs11 -new -key
"pkcs11:object=Authentication - *;type=private;pin-value=123456"
-keyform engine -out req2.pem -text -x509 -subj "/CN=*"
OpenSSL> x509 -engine pkcs11 -signkey
"pkcs11:object=Authentication - *;type=private;pin-value=123456"
-keyform engine -in req2.pem -out cert2.pem
Thanks,
George
On 2020-12-18 3:40 a.m., Jan Just Keijser wrote:
> Hi,
>
> On 18/12/20 06:21, George wrote:
>> Hi,
>>
>> I'm able to setup the engine now, but as soon as I attempt to
>> execute the command
>> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
>> ,I see all kinds of middleware exceptions being generated:
>>
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>> exception: unsigned long at memory location 0x07FCFA00.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>> .
>> .
>> .
>>
>>
>> Do you have any idea what is causing these errors? Am I missing
>> something in the configuration? When I use the OpenSSL command line
>> debugger, there are no errors:
>>
>> OpenSSL> engine -t dynamic -pre
>> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
>> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program
>> Files (x86)\HID Global\ActivClient\\acpkcs211.dll"
>> (dynamic) Dynamic engine loading support
>> [Success]:
>> SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:C:\Program Files (x86)\HID
>> Global\ActivClient\\acpkcs211.dll
>> Loaded: (pkcs11) pkcs11 engine
>> [ available ]
>> OpenSSL>
>>
>>
>> Here is what my simplified code looks like:
>>
>> char* enginePluginLibrary =
>> "C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll";
>> char* pkcs11MiddlewareLibrary = "C:\\Program Files (x86)\\HID
>> Global\\ActivClient\\acpkcs211.dll";
>> ENGINE_load_builtin_engines();
>> ENGINE_register_all_complete();
>> ENGINE *pkey_engine = ENGINE_by_id("dynamic");
>>
>> ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", enginePluginLibrary, 0);
>> ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
>> ENGINE_ctrl_cmd_string(pkey_engine, "LIST_ADD", "1", 0);
>> ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);
>> ENGINE_ctrl_cmd_string(pkey_engine, "MODULE_PATH",
>> pkcs11MiddlewareLibrary, 0);
>> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
>>
>>
> main difference between the OPENSSL.EXE example and your code is that
> last call:
>
> here's wat "ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)" does:
>
>
> int ENGINE_set_default(ENGINE *e, unsigned int flags)
> {
> if ((flags & ENGINE_METHOD_CIPHERS) &&
> !ENGINE_set_default_ciphers(e))
> return 0;
> if ((flags & ENGINE_METHOD_DIGESTS) &&
> !ENGINE_set_default_digests(e))
> return 0;
> #ifndef OPENSSL_NO_RSA
> if ((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e))
> return 0;
> #endif
> #ifndef OPENSSL_NO_DSA
> if ((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e))
> return 0;
> #endif
> #ifndef OPENSSL_NO_DH
> if ((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
> return 0;
> #endif
> #ifndef OPENSSL_NO_ECDH
> if ((flags & ENGINE_METHOD_ECDH) && !ENGINE_set_default_ECDH(e))
> return 0;
> #endif
> #ifndef OPENSSL_NO_ECDSA
> if ((flags & ENGINE_METHOD_ECDSA) && !ENGINE_set_default_ECDSA(e))
> return 0;
> #endif
> if ((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
> return 0;
> if ((flags & ENGINE_METHOD_PKEY_METHS)
> && !ENGINE_set_default_pkey_meths(e))
> return 0;
> if ((flags & ENGINE_METHOD_PKEY_ASN1_METHS)
> && !ENGINE_set_default_pkey_asn1_meths(e))
> return 0;
> return 1;
> }
>
> (from the openssl 1.0.2 source tree)
> It could be that one of those methods is not throwing the errors with
> your smart card.
> I'd advise you to test your smart card capabilities . It might also be
> useful to do more command line testing with your smartcard using
>
> engine -vvvv -t dynamic -pre
> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program
> Files (x86)\HID Global\ActivClient\\acpkcs211.dll"
>
> and then try out certain operations, like encrypt/decrypt or simply
> use the command
> speed
>
> and watch for any errors - that should give you a hint which method is
> not supported by your smart card.
>
> HTH,
>
> JJK
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201218/8f83179e/attachment.html>
More information about the openssl-users
mailing list