private key not available for client_cert_cb

George whippet0 at gmail.com
Sun Dec 20 08:39:22 UTC 2020


Hi,

    I tried running the "s_client" command and it appears to be working.

I guess there must be something wrong in my code.
My crash occurs when I call

    ENGINE_init(pkey_engine);

I notice your code does not call this function.  Is this needed needed? 
If so, when/where should it be called?

What exactly is the definition of "pkey_identifier" in

    ENGINE_load_private_key(pkey_engine, *pkey_identifier*,
    transfer_pin, &cb_data) ?


I'm not clear on what this value should be. Can you give an example of 
what it would look like?

I have the following on my smart card:

    Private Key Object; RSA
       label:      Authentication - *
    *ID:**2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba*
       Usage:      unwrap
       Access:     sensitive, never extractable
       Allowed mechanisms: RSA-PKCS,RSA-X-509


Would the *pkey_identifier* be the *ID* in the above?


What exactly is "prompt_info" in the structure PW_CB_DATA?
i.e.
typedef struct pw_cb_data {
     const void* password;
     const char* *prompt_info;*
} PW_CB_DATA;
Can you give an example of what it might look like?

Is the value of cb_data populated by the transfer_pin callback 
functions, or should it already contain a value when 
ENGINE_load_private_key is called?

Is there a way to skip the callback transfer_pin and use a hard coded 
pin for test purposes when calling ENGINE_load_private_key(...)?



Thanks!
George


On 2020-12-19 8:05 p.m., Jan Just Keijser wrote:
>
> I'd say no engine/pkcs11 module should trigger exceptions - that's an 
> error in the pkcs11 module.
>
> Something you can try is this:
>
> run the 'openssl.exe' command:
>
> openssl engine -t dynamic -pre 
> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" 
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program 
> Files (x86)\HID Global\ActivClient\\acpkcs211.dll"
>
> then on the OpenSSL prompt , try
>
>   s_client -keyform engine -key 0:<key-id>  -cert "clientcert.pem"  
> -connect remote_host:remote_port
>
> that should start a TLS connection and use the pcks11 engine to ask 
> for the key , identified by <key-id> in slot 0 (adjust the slot number 
> if your smart card starts at number 1 etc.
>
> HTH,
>
> JJK
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201220/3983be6f/attachment.html>


More information about the openssl-users mailing list