private key not available for client_cert_cb
Michael Wojcik
Michael.Wojcik at microfocus.com
Fri Jan 8 23:32:59 UTC 2021
> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of George
> Sent: Friday, 8 January, 2021 14:35
> The comment indicates that the flag RSA_METHOD_FLAG_NO_CHECK should be set
> for smart cards[...]
> However, it is not actually set when I use a debugger to inspect the flag.
> Does it need to be set? If so, how is this done?
If memory serves, the PKCS#11 implementation invoked by the pkcs11 engine is supposed to set it.
See for example this patch to OpenSC's pkcs11-helper library:
https://github.com/OpenSC/pkcs11-helper/commit/5198bb1e557dfd4109bea41c086825bf6ebdd9f3
(That patch actually is to set a different flag, but it shows the code in question.)
I know, that's probably not terribly helpful.
If you do a web search for something like
pkcs11 "RSA_METHOD_FLAG_NO_CHECK"
you'll probably find a number of hits where other people ran into similar problems.
Isn't PKCS#11 grand? If you're bored with all the interoperability problems of X.509, PKIX, and TLS, we have good news!
--
Michael Wojcik
More information about the openssl-users
mailing list