private key not available for client_cert_cb
Jan Just Keijser
janjust at nikhef.nl
Sun Dec 20 01:05:20 UTC 2020
Hi,
On 19/12/20 04:48, George wrote:
> Hi,
>
> I narrowed the problem down to
> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)
>
> This causes the initial exception
> Exception thrown at 0x757346D2 in GENCom.exe: Microsoft C++ exception:
> unsigned long at memory location 0x006FCD68.
>
> It looks like some of the Engine methods cause an exception, but not
> all of them:
> *
> Works:*
> ENGINE_METHOD_CIPHERS
> ENGINE_METHOD_DIGESTS
> ENGINE_METHOD_DSA
> ENGINE_METHOD_DH
> ENGINE_METHOD_RAND
> ENGINE_METHOD_PKEY_ASN1_METHS
>
> *Causes An Exception:*
> ENGINE_METHOD_RSA
> ENGINE_METHOD_ECDH
> ENGINE_METHOD_ECDSA
> ENGINE_METHOD_PKEY_METHS
>
>
> Is that normal behaviour, or is something wrong? Is there a way to
> find the supported engine methods to avoid triggering an exception?
>
I'd say no engine/pkcs11 module should trigger exceptions - that's an
error in the pkcs11 module.
Something you can try is this:
run the 'openssl.exe' command:
openssl engine -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program
Files (x86)\HID Global\ActivClient\\acpkcs211.dll"
then on the OpenSSL prompt , try
s_client -keyform engine -key 0:<key-id> -cert "clientcert.pem"
-connect remote_host:remote_port
that should start a TLS connection and use the pcks11 engine to ask for
the key , identified by <key-id> in slot 0 (adjust the slot number if
your smart card starts at number 1 etc.
HTH,
JJK
> It seems like alot of other smaple code I have looked at calls
> ENGINE_init(pkey_engine);
>
> Is the needed? When I call it, it always returns with "0". Should it
> be returning with "1"?
>
> I did some testing in the OpenSSL command line, and here is what I found:
>
> - The command line "speed" test appears to be fine:
>
> OpenSSL> speed -engine pkcs11
> engine "pkcs11" set.
> Doing mdc2 for 3s on 16 size blocks: 2688737 mdc2's in 2.98s
> Doing mdc2 for 3s on 64 size blocks: 880529 mdc2's in 3.00s
> Doing mdc2 for 3s on 256 size blocks: 240916 mdc2's in 2.98s
> Doing mdc2 for 3s on 1024 size blocks: 61287 mdc2's in 3.00s
> Doing mdc2 for 3s on 8192 size blocks: 7774 mdc2's in 2.98s
> .
> .
> .
>
> - I also tried the following, which successfully created the PEM
> files:
>
> OpenSSL> req -engine pkcs11 -new -key
> "pkcs11:object=Authentication -
> *;type=private;pin-value=123456" -keyform engine -out req2.pem
> -text -x509 -subj "/CN=*"
> OpenSSL> x509 -engine pkcs11 -signkey
> "pkcs11:object=Authentication -
> *;type=private;pin-value=123456" -keyform engine -in req2.pem
> -out cert2.pem
>
>
>
>
>
> Thanks,
> George
>
>
> On 2020-12-18 3:40 a.m., Jan Just Keijser wrote:
>> Hi,
>>
>> On 18/12/20 06:21, George wrote:
>>> Hi,
>>>
>>> I'm able to setup the engine now, but as soon as I attempt to
>>> execute the command
>>> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
>>> ,I see all kinds of middleware exceptions being generated:
>>>
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>>> exception: unsigned long at memory location 0x07FCFA00.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> .
>>> .
>>> .
>>>
>>>
>>> Do you have any idea what is causing these errors? Am I missing
>>> something in the configuration? When I use the OpenSSL command line
>>> debugger, there are no errors:
>>>
>>> OpenSSL> engine -t dynamic -pre
>>> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
>>> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
>>> "MODULE_PATH:C:\Program Files (x86)\HID
>>> Global\ActivClient\\acpkcs211.dll"
>>> (dynamic) Dynamic engine loading support
>>> [Success]:
>>> SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll
>>> [Success]: ID:pkcs11
>>> [Success]: LIST_ADD:1
>>> [Success]: LOAD
>>> [Success]: MODULE_PATH:C:\Program Files (x86)\HID
>>> Global\ActivClient\\acpkcs211.dll
>>> Loaded: (pkcs11) pkcs11 engine
>>> [ available ]
>>> OpenSSL>
>>>
>>>
>>> Here is what my simplified code looks like:
>>>
>>> char* enginePluginLibrary =
>>> "C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll";
>>> char* pkcs11MiddlewareLibrary = "C:\\Program Files (x86)\\HID
>>> Global\\ActivClient\\acpkcs211.dll";
>>> ENGINE_load_builtin_engines();
>>> ENGINE_register_all_complete();
>>> ENGINE *pkey_engine = ENGINE_by_id("dynamic");
>>>
>>> ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", enginePluginLibrary, 0);
>>> ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
>>> ENGINE_ctrl_cmd_string(pkey_engine, "LIST_ADD", "1", 0);
>>> ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);
>>> ENGINE_ctrl_cmd_string(pkey_engine, "MODULE_PATH",
>>> pkcs11MiddlewareLibrary, 0);
>>> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
>>>
>>>
>> main difference between the OPENSSL.EXE example and your code is that
>> last call:
>>
>> here's wat "ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)" does:
>>
>>
>> int ENGINE_set_default(ENGINE *e, unsigned int flags)
>> {
>> if ((flags & ENGINE_METHOD_CIPHERS) &&
>> !ENGINE_set_default_ciphers(e))
>> return 0;
>> if ((flags & ENGINE_METHOD_DIGESTS) &&
>> !ENGINE_set_default_digests(e))
>> return 0;
>> #ifndef OPENSSL_NO_RSA
>> if ((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e))
>> return 0;
>> #endif
>> #ifndef OPENSSL_NO_DSA
>> if ((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e))
>> return 0;
>> #endif
>> #ifndef OPENSSL_NO_DH
>> if ((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
>> return 0;
>> #endif
>> #ifndef OPENSSL_NO_ECDH
>> if ((flags & ENGINE_METHOD_ECDH) && !ENGINE_set_default_ECDH(e))
>> return 0;
>> #endif
>> #ifndef OPENSSL_NO_ECDSA
>> if ((flags & ENGINE_METHOD_ECDSA) && !ENGINE_set_default_ECDSA(e))
>> return 0;
>> #endif
>> if ((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
>> return 0;
>> if ((flags & ENGINE_METHOD_PKEY_METHS)
>> && !ENGINE_set_default_pkey_meths(e))
>> return 0;
>> if ((flags & ENGINE_METHOD_PKEY_ASN1_METHS)
>> && !ENGINE_set_default_pkey_asn1_meths(e))
>> return 0;
>> return 1;
>> }
>>
>> (from the openssl 1.0.2 source tree)
>> It could be that one of those methods is not throwing the errors with
>> your smart card.
>> I'd advise you to test your smart card capabilities . It might also
>> be useful to do more command line testing with your smartcard using
>>
>> engine -vvvv -t dynamic -pre
>> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
>> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program
>> Files (x86)\HID Global\ActivClient\\acpkcs211.dll"
>>
>> and then try out certain operations, like encrypt/decrypt or simply
>> use the command
>> speed
>>
>> and watch for any errors - that should give you a hint which method
>> is not supported by your smart card.
>>
>> HTH,
>>
>> JJK
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201220/9b169e83/attachment-0001.html>
More information about the openssl-users
mailing list