Provider implementation providing client certificates during TLS

Tomas Mraz tomas at openssl.org
Wed Feb 8 07:39:23 UTC 2023 

Hi Ladislav,

your provider needs to implement an OSSL_STORE provider functionality
with a special URI scheme that will be recognized by your provider. The
certificate and the private key then needs to be loaded by using the
OSSL_STORE API which will call your provider store implementation if
the URI scheme matches.

The SSL_CTX_load_verify_store() purpose is to load a trusted store of
CA certificates to verify the server's certificate. It is not related
to client certificate authentication.

You need to load the client certificate using the OSSL_STORE API and
then set it to the SSL_CTX via SSL_CTX_use_certificate(). Similarly for
the private key.

Tomas Mraz, OpenSSL

On Mon, 2023-02-06 at 18:29 +0100, Ladislav Marko wrote:
> Dear OpenSSL users,
> 
> I'm currently developing an OpenSSL provider (so I'm using OpenSSL 
> versions 3.0 and newer, currently self compiled 3.1.0-beta2-dev). One
> key feature of the provider will be providing client certificates
> (from 
> my providers store) to servers upon request during TLS.
> 
> I've implemented decoder, keymgmt, signature and store
> functionalities.
> 
> To quote documentation from `SSL_CTX_set_client_cert_cb`, "When a 
> certificate was set using the SSL_CTX_use_certificate(3) family of 
> functions, it will be sent to the server.". I've used 
> `SSL_CTX_load_verify_store()` which I believe suffices.
> 
> Unfortunately none of my functions get called afterward when dealing 
> with the client certificate. And by that I mean that my store isn't 
> opened to see if I have matching certificates.
> 
> I've tried to circumvent this behavior with 
> `SSL_CTX_set_client_cert_cb()` where I load the certificate and key 
> manually, but to no avail. None of my implemented functions get
> called 
> and when looking at the stack trace I get lost really fast since
> there 
> is some caching happening. I'm suspicious that my functions don't get
> called in this case because I have not implemented digest 
> functionalities. Since the last trace output I get is "Using client 
> verify alg SHA2-256". (Although I get that output even when not using
> custom client certificate callback).
> 
> So my question is: What needs to be implemented/changed/called so 
> OpenSSL will use certificates from my providers store as client 
> certificates?
> 
> Any help would be strongly appreciated.
> Ladislav Marko
> 

-- 
Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list