private key not available for client_cert_cb

Jan Just Keijser janjust at nikhef.nl
Fri Dec 18 08:40:04 UTC 2020 

Hi,

On 18/12/20 06:21, George wrote:
> Hi,
>
>    I'm able to setup the engine now, but as soon as I attempt to 
> execute the command
> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
> ,I see all kinds of middleware exceptions being generated:
>
> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ exception: 
> unsigned long at memory location 0x07FCFA00.
> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ exception: 
> AI::Middleware::CMWException at memory location 0x032FD2D0.
> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ exception: 
> AI::Middleware::CMWException at memory location 0x032FD2D0.
> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ exception: 
> AI::Middleware::CMWException at memory location 0x032FD2D0.
> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ exception: 
> AI::Middleware::CMWException at memory location 0x032FD2D0.
> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ exception: 
> AI::Middleware::CMWException at memory location 0x032FD2D0.
> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ exception: 
> AI::Middleware::CMWException at memory location 0x032FD2D0.
> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ exception: 
> AI::Middleware::CMWException at memory location 0x032FD2D0.
> Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++ exception: 
> AI::Middleware::CMWException at memory location 0x032FD2D0.
> .
> .
> .
>
>
> Do you have any idea what is causing these errors? Am I missing 
> something in the configuration? When I use the OpenSSL command line 
> debugger, there are no errors:
>
> OpenSSL> engine -t dynamic -pre 
> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" 
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program 
> Files (x86)\HID Global\ActivClient\\acpkcs211.dll"
> (dynamic) Dynamic engine loading support
> [Success]: 
> SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:C:\Program Files (x86)\HID 
> Global\ActivClient\\acpkcs211.dll
> Loaded: (pkcs11) pkcs11 engine
>      [ available ]
> OpenSSL>
>
>
> Here is what my simplified code looks like:
>
> char* enginePluginLibrary = 
> "C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll";
> char* pkcs11MiddlewareLibrary = "C:\\Program Files (x86)\\HID 
> Global\\ActivClient\\acpkcs211.dll";
> ENGINE_load_builtin_engines();
> ENGINE_register_all_complete();
> ENGINE *pkey_engine = ENGINE_by_id("dynamic");
>
> ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH", enginePluginLibrary, 0);
> ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0);
> ENGINE_ctrl_cmd_string(pkey_engine, "LIST_ADD", "1", 0);
> ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);
> ENGINE_ctrl_cmd_string(pkey_engine, "MODULE_PATH", 
> pkcs11MiddlewareLibrary, 0);
> ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL);
>
>
main difference between the OPENSSL.EXE example and your code is that 
last call:

here's wat "ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)" does:


int ENGINE_set_default(ENGINE *e, unsigned int flags)
{
     if ((flags & ENGINE_METHOD_CIPHERS) && !ENGINE_set_default_ciphers(e))
         return 0;
     if ((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e))
         return 0;
#ifndef OPENSSL_NO_RSA
     if ((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e))
         return 0;
#endif
#ifndef OPENSSL_NO_DSA
     if ((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e))
         return 0;
#endif
#ifndef OPENSSL_NO_DH
     if ((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
         return 0;
#endif
#ifndef OPENSSL_NO_ECDH
     if ((flags & ENGINE_METHOD_ECDH) && !ENGINE_set_default_ECDH(e))
         return 0;
#endif
#ifndef OPENSSL_NO_ECDSA
     if ((flags & ENGINE_METHOD_ECDSA) && !ENGINE_set_default_ECDSA(e))
         return 0;
#endif
     if ((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
         return 0;
     if ((flags & ENGINE_METHOD_PKEY_METHS)
         && !ENGINE_set_default_pkey_meths(e))
         return 0;
     if ((flags & ENGINE_METHOD_PKEY_ASN1_METHS)
         && !ENGINE_set_default_pkey_asn1_meths(e))
         return 0;
     return 1;
}

(from the openssl 1.0.2 source tree)
It could be that one of those methods is not throwing the errors with 
your smart card.
I'd advise you to test your smart card capabilities . It might also be 
useful to do more command line testing with your smartcard using

   engine -vvvv -t dynamic -pre 
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" 
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program 
Files (x86)\HID Global\ActivClient\\acpkcs211.dll"

and then try out certain operations, like encrypt/decrypt or simply use 
the command
   speed

and watch for any errors - that should give you a hint which method is 
not supported by your smart card.

HTH,

JJK
>
> On 2020-12-17 8:39 p.m., Jan Just Keijser wrote:
>> On 17/12/20 14:55, George wrote:
>>> Ok. So I use the libp11 project DLL file for the SO_PATH and my 
>>> smart card middleware DLL for the MODULE_PATH when setting up the 
>>> OpenSSL Engine?
>>>
>>>
>> yes just like in the example I posted below.
>>
>> I would recommend the p11 wiki page to do it using the command line 
>> first - much easier to test & debug.
>>
>> JJK
>>

More information about the openssl-users mailing list