ODP: CSR generation using pkcs11 token engine from C# code

Piotr Lobacz piotr.lobacz at softgent.com
Tue May 25 14:14:58 UTC 2021 

Ok i am trying to use this code:

TokenEngine::TokenEngine( const StringList & modulePaths )
{
    ENGINE * tok = ENGINE_by_id( "pkcs11" );
    if ( ! tok )
        throw Exception( "token: unable to get engine" );

    m_pEngine = tok;

    const string modulePath( findFirstExisting( modulePaths ) );
    if ( modulePath.empty() )
        throw Exception( "token: unable to find module path" );

    DEBUG( "token: ctor: module_path=" << QS( modulePath ) );
    if ( 1 != ENGINE_ctrl_cmd_string( tok, "MODULE_PATH", modulePath.c_str(), CMD_MANDATORY ) )
        throw Exception( "token: setting module_path <= " + QS( modulePath ) );

    DEBUG( "token: ctor: initializing " << m_pEngine );
    if ( 1 != ENGINE_init( tok ) )
        throw Exception( "token: unable to initialize" );

    DEBUG( "token: ctor: done" );
}

which is from this site https://github.com/tkil/openssl-pkcs11-samples/blob/master/OpenSSLWrappers.cpp and the problem is that if i change modulePath value to a not existing file the method is still returning 1 which i think it should not. Correct me if i'm wrong.

BR
Piotr

________________________________
Od: Michael McKenney <mike.mckenney at scsiraidguru.com>
Wysłane: poniedziałek, 24 maja 2021 14:17
Do: Piotr Lobacz <piotr.lobacz at softgent.com>; openssl-users at openssl.org <openssl-users at openssl.org>
Temat: RE: CSR generation using pkcs11 token engine from C# code


Usually I reserve C# for Windows servers.   I use PHP on Ubuntu other Linux Distros.    Most web servers that need OpenSSL are Linux.   Glad you got it working.





From: Piotr Lobacz <piotr.lobacz at softgent.com>
Sent: Monday, May 24, 2021 8:10 AM
To: Michael McKenney <mike.mckenney at scsiraidguru.com>; openssl-users at openssl.org
Subject: ODP: CSR generation using pkcs11 token engine from C# code



Hi Michael,

thx for your quick reply. Unfortunately i can't use your script because i need to use native code not bash implementation.



For the first question about loading token module i have found a solution on github https://github.com/tkil/openssl-pkcs11-samples . This code is a C/C++ code but i can fairly port it to C#, and i was right about different load of engine for pkcs11 engine. So this can be closed.



Another thing is to generate CSR with the usage of token and openssl. This will be more complicated and i don't know yet how to do that.



BR

Piotr



________________________________

Od: Michael McKenney <mike.mckenney at scsiraidguru.com<mailto:mike.mckenney at scsiraidguru.com>>
Wysłane: poniedziałek, 24 maja 2021 13:28
Do: Piotr Lobacz <piotr.lobacz at softgent.com<mailto:piotr.lobacz at softgent.com>>; openssl-users at openssl.org<mailto:openssl-users at openssl.org> <openssl-users at openssl.org<mailto:openssl-users at openssl.org>>
Temat: RE: CSR generation using pkcs11 token engine from C# code



I wrote this script years ago when I switched to Godaddy 10 site  certificates.   I don't use it from C#   You could easily put it into C# or PHP.   <  >  would be variables at the top.   I have it filled in so I just modify the alt_names.   I just cut and paste the all of it into Ubuntu and run it in the directory  /etc/apache2/ssl.   If you don't need all 10, you can delete the extra ones in alt_names.


openssl req -new -sha256 -nodes -out \<crs_name.csr> -newkey rsa:2048 -keyout \<your key name.key> -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C= < country >
ST= < Your States >
L= < City or location >
O= < Organization >
OU= <Organizational Unit >
emailAddress= <your email>
CN = <The common name of the cert>

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = < domain #1 >
DNS.2 = < domain #2 >
DNS.3 = < domain #3 >
DNS.4 = < domain #4 >
DNS.5 = < domain #5 >
DNS.6 = < domain #6 >
DNS.7 = < domain #7 >
DNS.8 = < domain #8 >
DNS.9 = < domain #9 >
EOF
)






-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org<mailto:openssl-users-bounces at openssl.org>> On Behalf Of Piotr Lobacz
Sent: Monday, May 24, 2021 5:54 AM
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: CSR generation using pkcs11 token engine from C# code

Hi all,
i am currently trying to generate CSR with the usage of tpm2-pkcs11 module together with pkcs11 engine from opensc and the whole thing running with openssl api from C# code.

I have checked that my solution works from command line. I have added these lines:

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH = /usr/lib/libtpm2_pkcs11.so init = 0

to the /etc/ssl/openssl.cnf configuration file and than this command:

openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256 -engine pkcs11 -keyform engine -key "pkcs11:token=foo;object=tls;type=private;pin-value=1234567890"

produces CSR for me.

Now i want to do all this, from C# code. I have found a C# library https://github.com/andyhopp/OpenSsl.DynamicEngine which will load the engine, but i think that this won't be sufficient in a matter of pkcs11 engine, because i also need to load pkcs11 module. The question is what should i add to this library for propper work in means of pkcs11 api? What i mean is to use all this data from cnf file to configure openssl. Another question is how to execute this command above for csr from C#? I suspect that because on linux C# sdk uses openssl api for all cryptographic operations than it should be somehow similar to the C solution. I would be gratefull if someone could point me at least for a C solution of this issue.

Best regards
Piotr Lobacz
[https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com<https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png%5d%3chttps:/www.softgent.com>>

Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 0000674406, NIP: 9581679801, REGON: 367090912

www.softgent.com<http://www.softgent.com>

Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego

KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210525/05c931d5/attachment-0001.html>

More information about the openssl-users mailing list