private key not available for client_cert_cb

Jan Just Keijser janjust at nikhef.nl
Sun Dec 20 01:05:20 UTC 2020


Hi,

On 19/12/20 04:48, George wrote:
> Hi,
>
>   I narrowed the problem down to
> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)
>
> This causes the initial exception
> Exception thrown at 0x757346D2 in GENCom.exe: Microsoft C++ exception: 
> unsigned long at memory location 0x006FCD68.
>
> It looks like some of the Engine methods cause an exception, but not 
> all of them:
> *
> Works:*
> ENGINE_METHOD_CIPHERS
> ENGINE_METHOD_DIGESTS
> ENGINE_METHOD_DSA
> ENGINE_METHOD_DH
> ENGINE_METHOD_RAND
> ENGINE_METHOD_PKEY_ASN1_METHS
>
> *Causes An Exception:*
> ENGINE_METHOD_RSA
> ENGINE_METHOD_ECDH
> ENGINE_METHOD_ECDSA
> ENGINE_METHOD_PKEY_METHS
>
>
> Is that normal behaviour, or is something wrong? Is there a way to 
> find the supported engine methods to avoid triggering an exception?
>
I'd say no engine/pkcs11 module should trigger exceptions - that's an 
error in the pkcs11 module.

Something you can try is this:

run the 'openssl.exe' command:

openssl engine -t dynamic -pre 
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" 
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program 
Files (x86)\HID Global\ActivClient\\acpkcs211.dll"

then on the OpenSSL prompt , try

   s_client -keyform engine -key 0:<key-id>  -cert "clientcert.pem"  
-connect remote_host:remote_port

that should start a TLS connection and use the pcks11 engine to ask for 
the key , identified by <key-id> in slot 0 (adjust the slot number if 
your smart card starts at number 1 etc.

HTH,

JJK




> It seems like alot of other smaple code I have looked at calls
> ENGINE_init(pkey_engine);
>
> Is the needed? When I call it, it always returns with "0". Should it 
> be returning with "1"?
>
> I did some testing in the OpenSSL command line, and here is what I found:
>
>     - The command line "speed" test appears to be fine:
>
>         OpenSSL> speed -engine pkcs11
>         engine "pkcs11" set.
>         Doing mdc2 for 3s on 16 size blocks: 2688737 mdc2's in 2.98s
>         Doing mdc2 for 3s on 64 size blocks: 880529 mdc2's in 3.00s
>         Doing mdc2 for 3s on 256 size blocks: 240916 mdc2's in 2.98s
>         Doing mdc2 for 3s on 1024 size blocks: 61287 mdc2's in 3.00s
>         Doing mdc2 for 3s on 8192 size blocks: 7774 mdc2's in 2.98s
>         .
>         .
>         .
>
>     -  I also tried the following, which successfully created the PEM
>     files:
>
>         OpenSSL> req -engine pkcs11 -new -key
>         "pkcs11:object=Authentication -
>         *;type=private;pin-value=123456" -keyform engine -out req2.pem
>         -text -x509 -subj "/CN=*"
>         OpenSSL> x509 -engine pkcs11 -signkey
>         "pkcs11:object=Authentication -
>         *;type=private;pin-value=123456" -keyform engine -in req2.pem
>         -out cert2.pem
>
>
>
>
>
> Thanks,
> George
>
>
> On 2020-12-18 3:40 a.m., Jan Just Keijser wrote:
>> Hi,
>>
>> On 18/12/20 06:21, George wrote:
>>> Hi,
>>>
>>>    I'm able to setup the engine now, but as soon as I attempt to 
>>> execute the command
>>> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
>>> ,I see all kinds of middleware exceptions being generated:
>>>
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>>> exception: unsigned long at memory location 0x07FCFA00.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ 
>>> exception: AI::Middleware::CMWException at memory location 0x032FD2D0.
>>> .
>>> .
>>> .
>>>
>>>
>>> Do you have any idea what is causing these errors? Am I missing 
>>> something in the configuration? When I use the OpenSSL command line 
>>> debugger, there are no errors:
>>>
>>> OpenSSL> engine -t dynamic -pre 
>>> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" 
>>> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre 
>>> "MODULE_PATH:C:\Program Files (x86)\HID 
>>> Global\ActivClient\\acpkcs211.dll"
>>> (dynamic) Dynamic engine loading support
>>> [Success]: 
>>> SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll
>>> [Success]: ID:pkcs11
>>> [Success]: LIST_ADD:1
>>> [Success]: LOAD
>>> [Success]: MODULE_PATH:C:\Program Files (x86)\HID 
>>> Global\ActivClient\\acpkcs211.dll
>>> Loaded: (pkcs11) pkcs11 engine
>>>      [ available ]
>>> OpenSSL>
>>>
>>>
>>> Here is what my simplified code looks like:
>>>
>>> char* enginePluginLibrary = 
>>> "C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll";
>>> char* pkcs11MiddlewareLibrary = "C:\\Program Files (x86)\\HID 
>>> Global\\ActivClient\\acpkcs211.dll";
>>> ENGINE_load_builtin_engines();
>>> ENGINE_register_all_complete();
>>> ENGINE *pkey_engine = ENGINE_by_id("dynamic");
>>>
>>> ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", enginePluginLibrary, 0);
>>> ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
>>> ENGINE_ctrl_cmd_string(pkey_engine, "LIST_ADD", "1", 0);
>>> ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);
>>> ENGINE_ctrl_cmd_string(pkey_engine, "MODULE_PATH", 
>>> pkcs11MiddlewareLibrary, 0);
>>> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
>>>
>>>
>> main difference between the OPENSSL.EXE example and your code is that 
>> last call:
>>
>> here's wat "ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)" does:
>>
>>
>> int ENGINE_set_default(ENGINE *e, unsigned int flags)
>> {
>>     if ((flags & ENGINE_METHOD_CIPHERS) && 
>> !ENGINE_set_default_ciphers(e))
>>         return 0;
>>     if ((flags & ENGINE_METHOD_DIGESTS) && 
>> !ENGINE_set_default_digests(e))
>>         return 0;
>> #ifndef OPENSSL_NO_RSA
>>     if ((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e))
>>         return 0;
>> #endif
>> #ifndef OPENSSL_NO_DSA
>>     if ((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e))
>>         return 0;
>> #endif
>> #ifndef OPENSSL_NO_DH
>>     if ((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
>>         return 0;
>> #endif
>> #ifndef OPENSSL_NO_ECDH
>>     if ((flags & ENGINE_METHOD_ECDH) && !ENGINE_set_default_ECDH(e))
>>         return 0;
>> #endif
>> #ifndef OPENSSL_NO_ECDSA
>>     if ((flags & ENGINE_METHOD_ECDSA) && !ENGINE_set_default_ECDSA(e))
>>         return 0;
>> #endif
>>     if ((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
>>         return 0;
>>     if ((flags & ENGINE_METHOD_PKEY_METHS)
>>         && !ENGINE_set_default_pkey_meths(e))
>>         return 0;
>>     if ((flags & ENGINE_METHOD_PKEY_ASN1_METHS)
>>         && !ENGINE_set_default_pkey_asn1_meths(e))
>>         return 0;
>>     return 1;
>> }
>>
>> (from the openssl 1.0.2 source tree)
>> It could be that one of those methods is not throwing the errors with 
>> your smart card.
>> I'd advise you to test your smart card capabilities . It might also 
>> be useful to do more command line testing with your smartcard using
>>
>>   engine -vvvv -t dynamic -pre 
>> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" 
>> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program 
>> Files (x86)\HID Global\ActivClient\\acpkcs211.dll"
>>
>> and then try out certain operations, like encrypt/decrypt or simply 
>> use the command
>>   speed
>>
>> and watch for any errors - that should give you a hint which method 
>> is not supported by your smart card.
>>
>> HTH,
>>
>> JJK
>>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201220/9b169e83/attachment-0001.html>


More information about the openssl-users mailing list