<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">How I did this:<div class=""><br class=""></div><div class="">1) You can make up your own EVP_PKEY that uses your own engine implementation and attach a data ptr to it</div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(28, 70, 74);" class="">EVP_PKEY</span>* returnPKey;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> returnPKey = <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">EVP_PKEY_new</span>();</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(155, 35, 147);" class=""><b class="">if</b></span>( returnPKey )</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> {</div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal;" class=""> <span class="Apple-tab-span" style="white-space:pre"> </span> </span><span style="color: #1c464a" class="">ENGINE</span><span style="font-stretch: normal; font-size: 13px; line-height: normal;" class="">* engine = </span><span style="color: #326d74" class="">ENGINE_by_id</span><span style="font-stretch: normal; font-size: 13px; line-height: normal;" class="">(YOUR</span><span style="color: #643820" class="">_ENGINE_ID</span><span style="font-stretch: normal; font-size: 13px; line-height: normal;" class="">);</span></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(28, 70, 74);" class="">RSA</span>* sc_rsa = <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">RSA_new_method</span>(engine);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(155, 35, 147);" class=""><b class="">if</b></span>( sc_rsa )</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>// attach a reference to a structure holding your smart card middleware info</div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: Menlo; color: rgb(50, 109, 116); background-color: rgb(255, 255, 255);" class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""> </span>RSA_set_ex_data<span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">(sc_rsa, </span>ENGINE_smartcard_rsa_idx_middleware<span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">(),</span></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> (<span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(155, 35, 147);" class=""><b class="">void</b></span>*)middleware-><span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">handle</span>);</div><p style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255); min-height: 15px;" class=""> <br class="webkit-block-placeholder"></p><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(28, 70, 74);" class="">EVP_PKEY</span>* pk = <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">X509_get_pubkey</span>( returnCert );</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(155, 35, 147);" class=""><b class="">if</b></span>( pk )</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> sc_rsa-><span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">e</span> = <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">BN_new</span>();</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> sc_rsa-><span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">n</span> = <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">BN_new</span>();</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">BN_copy</span>(sc_rsa-><span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">e</span>, pk-><span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">pkey</span>.<span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">rsa</span>-><span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">e</span>);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">BN_copy</span>(sc_rsa-><span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">n</span>, pk-><span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">pkey</span>.<span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">rsa</span>-><span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">n</span>);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">EVP_PKEY_free</span>(pk);</div><p style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255); min-height: 15px;" class=""> <br class="webkit-block-placeholder"></p><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">EVP_PKEY_set1_RSA</span>(returnPKey, sc_rsa);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(50, 109, 116);" class="">RSA_free</span>(sc_rsa);</div><p style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255); min-height: 15px;" class=""> <br class="webkit-block-placeholder"></p><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> *outCert = make this X509 from your smart card certificate;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> *outpkey = returnPKey;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> <span style="font-stretch: normal; font-size: 12px; line-height: normal; color: rgb(155, 35, 147);" class=""><b class="">else</b></span></div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: Menlo; color: rgb(196, 26, 22); background-color: rgb(255, 255, 255);" class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""> </span><span style="color: #643820" class="">LogError</span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">(</span>"smartcards_fetch_identity can't get pubkey\n"<span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">);</span></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255);" class=""> }</div><div class=""><br class=""></div><div class="">Then for your engine you will need some methods to configure it as follows:</div><div class=""><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: Menlo; color: rgb(15, 104, 160); background-color: rgb(255, 255, 255);" class=""><span style="color: #9b2393" class=""><b class="">void</b></span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""> </span>ENGINE_load_smartcard_keychain<span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">(</span><span style="color: #9b2393" class=""><b class="">void</b></span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">);</span></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: Menlo; color: rgba(0, 0, 0, 0.85); background-color: rgb(255, 255, 255); min-height: 15px;" class=""><span style="color: rgb(93, 108, 121);" class="">/*</span></div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: Menlo; color: rgb(93, 108, 121); background-color: rgb(255, 255, 255);" class=""> * ENGINE_tss_keychain_rsa_idx_middleware returns a ex_data index where engine user should store the</div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: Menlo; color: rgb(93, 108, 121); background-color: rgb(255, 255, 255);" class=""> * pointer to the info needed to use the middleware</div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: Menlo; color: rgb(93, 108, 121); background-color: rgb(255, 255, 255);" class=""> */</div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: Menlo; color: rgb(15, 104, 160); background-color: rgb(255, 255, 255);" class=""><span style="color: #9b2393" class=""><b class="">int</b></span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""> </span>ENGINE_smartcard_rsa_idx_middleware<span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">(</span><span style="color: #9b2393" class=""><b class="">void</b></span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">);</span></div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: Menlo; color: rgb(93, 108, 121); background-color: rgb(255, 255, 255);" class=""><br class=""></div></div><div class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">Your ENGINE_load_smartcard_keychain method should set global values that get returned by <span style="caret-color: rgb(15, 104, 160); color: rgb(15, 104, 160); font-family: Menlo; font-size: 12px; background-color: rgb(255, 255, 255);" class="">ENGINE_smartcard_rsa_idx_middleware:</span></span></div><div class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""><div style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Menlo; color: rgb(50, 109, 116); background-color: rgb(255, 255, 255);" class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""> </span>gMiddlewareRSAIndex<span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""> = </span>RSA_get_ex_new_index<span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">(</span><span style="color: #1c00cf" class="">0x1234</span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">, </span><span style="color: #9b2393" class=""><b class="">NULL</b></span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">, </span><span style="color: #9b2393" class=""><b class="">NULL</b></span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">, </span><span style="color: #9b2393" class=""><b class="">NULL</b></span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">, </span><span style="color: #9b2393" class=""><b class="">NULL</b></span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">);</span></div><div style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Menlo; color: rgb(50, 109, 116); background-color: rgb(255, 255, 255);" class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""><br class=""></span></div><div class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">Configure your engine filling in an RSA_METHOD structure with what you will need. You don’t really need all the methods in RSA_METHOD structure, and if you don’t need them add a stub that returns a 0. I did not need either of the mod_exp method or the public key encrypt and decrypt methods. I also did not need the verify or keygen methods. Your init and finish methods just need to return 1.</span></div><div class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">I set the RSA_METHOD flags to <span style="color: rgb(100, 56, 32); font-family: Menlo; font-size: 12px; background-color: rgb(255, 255, 255);" class="">RSA_FLAG_FIPS_METHOD</span><span style="font-family: Menlo; background-color: rgb(255, 255, 255); font-stretch: normal; line-height: normal;" class="">|</span><span style="color: rgb(100, 56, 32); font-family: Menlo; font-size: 12px; background-color: rgb(255, 255, 255);" class="">RSA_METHOD_FLAG_NO_CHECK</span><span style="font-family: Menlo; background-color: rgb(255, 255, 255); font-stretch: normal; line-height: normal;" class="">|</span><span style="color: rgb(100, 56, 32); font-family: Menlo; font-size: 12px; background-color: rgb(255, 255, 255);" class="">RSA_FLAG_CACHE_PUBLIC</span> </span></div><div class=""><br class=""></div><div class="">This leaves the cipher methods for private key encrypt/decrypt and sign. The private key methods will be where all the work is done. Write a function to perform the smartcard ‘crypt’ method and use it in private encrypt/decrypt and the signing methods. You will need to pay attention to padding and make sure you know how to pad for PKCS1 type 1. The RSA_SSLV23_PADDING is not required and you can just return an error if you get called with this. </div><div class=""><br class=""></div><div class="">I handle the PIN entry requirement by having the engine return a specific error if the PIN is needed, then handle the PIN entry in the application. Once the PIN is entered and available to the middleware, I retry the connection.</div><div class=""><br class=""></div><div class="">The trick is to get a pointer to your middleware implementation from the private key engine methods like this:</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Menlo; color: rgb(28, 70, 74); background-color: rgb(255, 255, 255);" class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""> m</span>y_middleware_handle<span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""> =</span></div><div style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Menlo; color: rgb(50, 109, 116); background-color: rgb(255, 255, 255);" class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""> <span class="Apple-tab-span" style="white-space:pre"> </span>(</span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""><span style="font-stretch: normal; line-height: normal;" class="">m</span><span style="caret-color: rgb(28, 70, 74); color: rgb(28, 70, 74); font-size: 12px;" class="">y_middleware_handle</span>)</span>RSA_get_ex_data<span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class="">(rsa, </span><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""><span style="caret-color: rgb(50, 109, 116); color: rgb(50, 109, 116); font-size: 12px;" class="">gMiddlewareRSAIndex</span>);</span></div></div><div class=""><span style="font-stretch: normal; font-size: 13px; line-height: normal; color: rgba(0, 0, 0, 0.85);" class=""><br class=""></span></div></span></div><div>I found that writing the engine was more straightforward that attempting to use PKCS11.</div><div><br class=""><blockquote type="cite" class=""><div class="">On Dec 14, 2020, at 1:08 AM, George <<a href="mailto:whippet0@gmail.com" class="">whippet0@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" class="">
<div class="">
Hi,<br class="">
<br class="">
I'm new to OpenSSL and am trying to set up mutual authentication
in a client. The client is setup with OpenSSL 1.0.2u. and the
client's certificate + private key is stored on a Smart Card. When
the client receives a certificate request from the server during the
mutual authentication handshake, the OpenSSL <i class="">client_cert_cb</i>
callback function is automatically invoked. The problem is that <i class="">client_cert_cb</i>
requires a private key. Unfortunately, it is not possible to get a
private key from a Smart Card. Is there a way to send a certificate
to the server without needing the private key?<br class="">
<br class="">
I'm setting up the callback function with:<br class="">
<br class="">
<font size="+1" face="monospace" class="">void
SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL
*ssl, X509 **x509, EVP_PKEY **pkey));</font><font size="+1" class=""><br class="">
</font><br class="">
<br class="">
Here is a sample of what my code looks like when I set this up:<br class="">
<br class="">
<font size="+1" face="monospace" class="">SSL_CTX_set_client_cert_cb(context,
<b class="">openSSLClientAuthenticationCallBack</b>);<br class="">
<br class="">
int <b class="">openSSLClientAuthenticationCallBack</b>(SSL *ssl, X509
**x509, EVP_PKEY **pkey)<br class="">
{<br class="">
. . .<br class="">
}<br class="">
</font><br class="">
<br class="">
I can access the Smart Card using the PKCS#11 interface and I'm able
to get the certificate and sign it, etc. However, I cannot get the
actual private key from the Smart Card.<br class="">
<br class="">
Does anyone know how I can get around this problem?<br class="">
<br class="">
<br class="">
Thanks,<br class="">
George<br class="">
<br class="">
</div>
</div></blockquote></div><br class=""></div></body></html>