<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 17/12/20 14:55, George wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5887cae2-1ecb-4081-1ee9-bcf566a88afe@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="moz-cite-prefix">Ok. So I use the libp11 project DLL
file for the SO_PATH and my smart card middleware DLL for the
MODULE_PATH when setting up the OpenSSL Engine?<br>
<br>
<br>
</div>
</blockquote>
yes just like in the example I posted below.<br>
<br>
I would recommend the p11 wiki page to do it using the command line
first - much easier to test & debug.<br>
<br>
JJK<br>
<br>
<blockquote type="cite"
cite="mid:5887cae2-1ecb-4081-1ee9-bcf566a88afe@gmail.com">
<div class="moz-cite-prefix"> <br>
<br>
On 2020-12-17 3:22 a.m., Jan Just Keijser wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2495b1de-13d0-8777-56b0-46ac80cd0203@nikhef.nl">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 16/12/20 20:26, George wrote:<br>
</div>
<blockquote type="cite"
cite="mid:30032dde-70d1-d438-86ae-77f04a8179cf@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
I've been looking at the code in the pppd EAP-TLS patch,
but I can't seem to load the engine with the pkcs11 DLL. It
is failing with the error: <br>
<br>
<font size="+1" face="monospace">error:2507606A:DSO support
routines:WIN32_BIND_FUNC:could not bind to the requested
symbol name<br>
<br>
</font>I've verified the path is correct.<br>
<br>
I am using OpenSSL1.0.2u with the FIPS Object Module 2.0.16
in Windows 10. Do I need to do anything special to allow
loading of DLLs in OpenSSL?<br>
<br>
Here is what I am trying to do:<br>
<br>
<font size="+1" face="monospace"> char* engine_name =
"C:\\Users\\whipp\\junk4\\ActivClient\\acpkcs211.dll";<br>
ENGINE_load_builtin_engines();<br>
ENGINE_register_all_complete();<br>
ENGINE *pkey_engine = ENGINE_by_id("dynamic");<br>
ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH",
engine_name, 0);<br>
ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11",
0);<br>
ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0);</font><br>
<br>
Do you see anything wrong with this?<br>
<br>
</div>
</blockquote>
<br>
I forgot to mention that loading a PKCS11 driver from within
OpenSSL is a 2 stage rocket:<br>
<br>
first stage: load the engine_pkcs11 module using<br>
<br>
<font size="+1" face="monospace"> char* engine_name = "</font><code>C:\\Windows\\System32\\pkcs11.dll"</code>
<br>
<br>
This is a separate piece of code and is part of the libp11
project:<br>
<a class="moz-txt-link-freetext"
href="https://github.com/OpenSC/libp11" moz-do-not-send="true">https://github.com/OpenSC/libp11</a><br>
<br>
(it also has a nice wiki that explains how to do it on the
command line using OPENSSL.EXE)<br>
<br>
Then create an openssl.cnf section like this:<br>
<br>
<pre><code>openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = "C:\Windows\System32\opensc-pkcs11.dll"
MODULE_path = "</code><code><font size="+1" face="monospace">C:\Users\whipp\junk4\ActivClient\acpkcs211.dll</font>"
PIN = "0001password"
init = 0</code></pre>
<br>
and load that (see the EAP-TLS code for an example or read<br>
<a class="moz-txt-link-freetext"
href="https://stackoverflow.com/questions/41119744/pkcs11-engine-for-openssl"
moz-do-not-send="true">https://stackoverflow.com/questions/41119744/pkcs11-engine-for-openssl</a><br>
for a similar question).<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
<br>
<br>
<br>
<blockquote type="cite"
cite="mid:30032dde-70d1-d438-86ae-77f04a8179cf@gmail.com">
<div class="moz-cite-prefix"> On 2020-12-15 4:38 a.m., Jan
Just Keijser wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e015a686-88b2-e483-a7da-53e9efabd9fc@nikhef.nl">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 14/12/20 21:01, George wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7a3428c6-04ab-672e-b738-67680f9fc036@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<div class="moz-cite-prefix">Ok, so I am not actually
going to populate EVP_PKEY with a private key in the
callback function<font size="+1">:<br>
</font><font size="+1" face="monospace">int
(*client_cert_cb)(SSL *ssl, X509 **x509, <b>EVP_PKEY
**pkey</b>)</font><font size="+1" face="monospace">?<br>
<br>
</font><font size="+1">Instead, I will call </font><br>
<font size="+1" face="monospace">EVP_PKEY
*ENGINE_load_private_key(ENGINE *e, const char
*key_id, UI_METHOD *ui_method, void *callback_data);<br>
</font>to get the <font face="monospace">EVP_PKEY</font>,
which will be used by OpenSSL to access the Smart Card.<br>
<br>
Once I get <font size="+1"><font face="monospace">the
resulting </font></font><font size="+1"
face="monospace">EVP_PKEY using </font><font
size="+1" face="monospace">ENGINE_load_private_key(...),
how do I assign it to pkey in the callback function?<br>
If I had private key I would use something like<br>
</font> EVP_PKEY_assign_RSA(..)<br>
Since I don't actually have a private key, should I use
something else?<br>
<br>
</div>
</blockquote>
like Michael pointed out, my eap-tls code is just an
example of how you could handle a pkcs11 device; it does not
us a callback at all, but my code loads the client cert+key
upfront and avoids having to use a client callback
altogether.<br>
<br>
I guess you could also use a client callback for this
(perhaps in combination with
SSL_CTX_set_client_cert_engine()) . In that case you would
get the (pseudo) key from the engine like this<br>
EVP_PKEY *engine_key = <font size="+1" face="monospace">ENGINE_load_private_key(ENGINE
*e, const char *key_id, UI_METHOD *ui_method, void
*callback_data);<br>
and then set<br>
pkey = &engine_key;<br>
and see if that works.<br>
Note that the </font><font size="+1" face="monospace">ENGINE_load_private_key()
function *does* return a EVP_PKEY struct but that does not
mean the entire private key is contained in it; a private
key consists of a modulus and a private part (exponent,
prime1, prime2, exponent1, exponent2 etc). the </font><font
size="+1" face="monospace">ENGINE_load_private_key() call
will return a struct containing the modulus but not the
rest. You then use the engine to do the actual encryption
and decryption.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</font><br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>