CSR generation using pkcs11 token engine from C# code

Piotr Lobacz piotr.lobacz at softgent.com
Mon May 24 09:54:01 UTC 2021


Hi all,
i am currently trying to generate CSR with the usage of tpm2-pkcs11 module together with pkcs11 engine from opensc and the whole thing running with openssl api from C# code.

I have checked that my solution works from command line. I have added these lines:

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/libtpm2_pkcs11.so
init = 0

to the /etc/ssl/openssl.cnf configuration file and than this command:

openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256 -engine pkcs11 -keyform engine -key "pkcs11:token=foo;object=tls;type=private;pin-value=1234567890"

produces CSR for me.

Now i want to do all this, from C# code. I have found a C# library https://github.com/andyhopp/OpenSsl.DynamicEngine which will load the engine, but i think that this won't be sufficient in a matter of pkcs11 engine, because i also need to load pkcs11 module. The question is what should i add to this library for propper work in means of pkcs11 api? What i mean is to use all this data from cnf file to configure openssl. Another question is how to execute this command above for csr from C#? I suspect that because on linux C# sdk uses openssl api for all cryptographic operations than it should be somehow similar to the C solution. I would be gratefull if someone could point me at least for a C solution of this issue.

Best regards
Piotr Lobacz
[https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com>

Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 0000674406, NIP: 9581679801, REGON: 367090912

www.softgent.com

Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego

KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.


More information about the openssl-users mailing list