<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi Jan,<br>
<br>
Thanks for your response. It looks like I don't already have
the PPP and PPPD. Do I need to download and install the following?
<br>
<a class="moz-txt-link-freetext" href="https://github.com/jjkeijser/ppp/tree/eap-tls">https://github.com/jjkeijser/ppp/tree/eap-tls</a><br>
<br>
I am using OpenSSL in Windows 10 and compiled it with Visual
Studio 2019. Will this EAP-TLS code compile/work with Visual
Studio in Windows?<br>
<br>
Are there any other ways to get the Smart Card to work without
needing to install additional software?<br>
<br>
<br>
Thanks!<br>
George<br>
<br>
<br>
<br>
On 2020-12-14 3:51 a.m., Jan Just Keijser wrote:<br>
</div>
<blockquote type="cite"
cite="mid:bfd6c62b-a628-a59c-5980-07468b47775b@nikhef.nl">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 14/12/20 08:08, George wrote:<br>
</div>
<blockquote type="cite"
cite="mid:292d3b25-9197-4977-a406-0a19abc15a0d@gmail.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
Hi,<br>
<br>
I'm new to OpenSSL and am trying to set up mutual
authentication in a client. The client is setup with OpenSSL
1.0.2u. and the client's certificate + private key is stored on
a Smart Card. When the client receives a certificate request
from the server during the mutual authentication handshake, the
OpenSSL <i>client_cert_cb</i> callback function is
automatically invoked. The problem is that <i>client_cert_cb</i>
requires a private key. Unfortunately, it is not possible to get
a private key from a Smart Card. Is there a way to send a
certificate to the server without needing the private key?<br>
<br>
I'm setting up the callback function with:<br>
<br>
<font size="+1" face="monospace">void
SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int
(*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));</font><font
size="+1"><br>
</font><br>
<br>
Here is a sample of what my code looks like when I set this up:<br>
<br>
<font size="+1" face="monospace">SSL_CTX_set_client_cert_cb(context,
<b>openSSLClientAuthenticationCallBack</b>);<br>
<br>
int <b>openSSLClientAuthenticationCallBack</b>(SSL *ssl, X509
**x509, EVP_PKEY **pkey)<br>
{<br>
. . .<br>
}<br>
</font><br>
<br>
I can access the Smart Card using the PKCS#11 interface and I'm
able to get the certificate and sign it, etc. However, I cannot
get the actual private key from the Smart Card.<br>
<br>
Does anyone know how I can get around this problem?<br>
<br>
</blockquote>
<br>
to use a pkcs#11 smartcard you normally use the OpenSSL pkcs11
engine ; you then do something like:<br>
<br>
engine_name = "pkcs11";<br>
ENGINE_register_all_complete();<br>
pkey_engine = ENGINE_by_id( "dynamic" );<br>
if (pkey_engine)<br>
{<br>
if (!ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH",
engine_name, 0)<br>
|| !ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL,
0))<br>
{<br>
warn( "EAP-TLS: Error loading dynamic engine
'%s'", engine_name );<br>
log_ssl_errors();<br>
ENGINE_free(e);<br>
pkey_engine = NULL;<br>
}<br>
}<br>
} <br>
<br>
if (pkey_engine)<br>
{ <br>
if(!ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL))<br>
}<br>
pkey_engine = eaptls_ssl_load_engine( "pkcs11" );<br>
pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier,
transfer_pin, &cb_data);<br>
SSL_CTX_use_PrivateKey(ctx, pkey);<br>
<br>
where "transfer_pin" is a callback UI function to query the user
for the pkcs11 device password.<br>
<br>
More detailed code can be found in my pppd EAP-TLS patch, file
eap-tls.c at<br>
<a class="moz-txt-link-freetext"
href="https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c"
moz-do-not-send="true">https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c</a><br>
<br>
(and search for pkey_engine)<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</blockquote>
<br>
</body>
</html>