<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 19/12/20 04:48, George wrote:<br>
</div>
<blockquote type="cite"
cite="mid:00492ef8-67aa-8848-97fe-65cf2ba3b38f@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
I narrowed the problem down to <br>
<font face="monospace">ENGINE_set_default(pkey_engine,
ENGINE_METHOD_ALL)</font><br>
<br>
This causes the initial exception<br>
<font face="monospace">Exception thrown at 0x757346D2 in
GENCom.exe: Microsoft C++ exception: unsigned long at memory
location 0x006FCD68.<br>
</font><br>
It looks like some of the Engine methods cause an exception, but
not all of them:<br>
<b><br>
Works:</b><br>
<font face="monospace">ENGINE_METHOD_CIPHERS<br>
ENGINE_METHOD_DIGESTS<br>
ENGINE_METHOD_DSA<br>
ENGINE_METHOD_DH<br>
ENGINE_METHOD_RAND<br>
ENGINE_METHOD_PKEY_ASN1_METHS</font><br>
<br>
<b>Causes An Exception:</b><br>
<font face="monospace">ENGINE_METHOD_RSA<br>
ENGINE_METHOD_ECDH<br>
ENGINE_METHOD_ECDSA<br>
ENGINE_METHOD_PKEY_METHS</font><br>
<br>
<br>
Is that normal behaviour, or is something wrong? Is there a way
to find the supported engine methods to avoid triggering an
exception?<br>
<br>
</div>
</blockquote>
I'd say no engine/pkcs11 module should trigger exceptions - that's
an error in the pkcs11 module.<br>
<br>
Something you can try is this:<br>
<br>
run the 'openssl.exe' command:<br>
<br>
openssl engine -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll"
<br>
<br>
then on the OpenSSL prompt , try<br>
<br>
s_client -keyform engine -key 0:<key-id> -cert
"clientcert.pem" -connect remote_host:remote_port<br>
<br>
that should start a TLS connection and use the pcks11 engine to ask
for the key , identified by <key-id> in slot 0 (adjust the
slot number if your smart card starts at number 1 etc.<br>
<br>
HTH,<br>
<br>
JJK <br>
<br>
<br>
<br>
<br>
<blockquote type="cite"
cite="mid:00492ef8-67aa-8848-97fe-65cf2ba3b38f@gmail.com">
<div class="moz-cite-prefix"> It seems like alot of other smaple
code I have looked at calls<br>
<font face="monospace">ENGINE_init(pkey_engine);<br>
<br>
</font>Is the needed? When I call it, it always returns with
"0". Should it be returning with "1"?<br>
<br>
I did some testing in the OpenSSL command line, and here is what
I found:<br>
<blockquote>- The command line "speed" test appears to be fine:<br>
<blockquote><font face="monospace">OpenSSL> speed -engine
pkcs11<br>
engine "pkcs11" set.<br>
Doing mdc2 for 3s on 16 size blocks: 2688737 mdc2's in
2.98s<br>
Doing mdc2 for 3s on 64 size blocks: 880529 mdc2's in
3.00s<br>
Doing mdc2 for 3s on 256 size blocks: 240916 mdc2's in
2.98s<br>
Doing mdc2 for 3s on 1024 size blocks: 61287 mdc2's in
3.00s<br>
Doing mdc2 for 3s on 8192 size blocks: 7774 mdc2's in
2.98s<br>
.<br>
.<br>
.</font><br>
</blockquote>
- I also tried the following, which successfully created the
PEM files:<br>
<blockquote><font face="monospace"><font face="monospace">OpenSSL>
</font>req -engine pkcs11 -new -key
"pkcs11:object=Authentication -
*;type=private;pin-value=123456" -keyform engine -out
req2.pem -text -x509 -subj "/CN=*"<br>
</font><font face="monospace"><font face="monospace">OpenSSL>
</font>x509 -engine pkcs11 -signkey
"pkcs11:object=Authentication -
*;type=private;pin-value=123456" -keyform engine -in
req2.pem -out cert2.pem<br>
</font></blockquote>
</blockquote>
<br>
<br>
<br>
<br>
Thanks,<br>
George<br>
<br>
<br>
On 2020-12-18 3:40 a.m., Jan Just Keijser wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8038268f-fd47-1ef8-7dec-ce365b0d453e@nikhef.nl">Hi, <br>
<br>
On 18/12/20 06:21, George wrote: <br>
<blockquote type="cite">Hi, <br>
<br>
I'm able to setup the engine now, but as soon as I attempt
to execute the command <br>
ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL); <br>
,I see all kinds of middleware exceptions being generated: <br>
<br>
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: unsigned long at memory location 0x07FCFA00. <br>
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0. <br>
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0. <br>
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0. <br>
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0. <br>
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0. <br>
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0. <br>
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0. <br>
Exception thrown at 0x773046D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location
0x032FD2D0. <br>
. <br>
. <br>
. <br>
<br>
<br>
Do you have any idea what is causing these errors? Am I
missing something in the configuration? When I use the OpenSSL
command line debugger, there are no errors: <br>
<br>
OpenSSL> engine -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll" <br>
(dynamic) Dynamic engine loading support <br>
[Success]:
SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll
<br>
[Success]: ID:pkcs11 <br>
[Success]: LIST_ADD:1 <br>
[Success]: LOAD <br>
[Success]: MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll <br>
Loaded: (pkcs11) pkcs11 engine <br>
[ available ] <br>
OpenSSL> <br>
<br>
<br>
Here is what my simplified code looks like: <br>
<br>
char* enginePluginLibrary =
"C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll";
<br>
char* pkcs11MiddlewareLibrary = "C:\\Program Files (x86)\\HID
Global\\ActivClient\\acpkcs211.dll"; <br>
ENGINE_load_builtin_engines(); <br>
ENGINE_register_all_complete(); <br>
ENGINE *pkey_engine = ENGINE_by_id("dynamic"); <br>
<br>
ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH",
enginePluginLibrary, 0); <br>
ENGINE_ctrl_cmd_string(pkey_engine, "ID", "pkcs11", 0); <br>
ENGINE_ctrl_cmd_string(pkey_engine, "LIST_ADD", "1", 0); <br>
ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0); <br>
ENGINE_ctrl_cmd_string(pkey_engine, "MODULE_PATH",
pkcs11MiddlewareLibrary, 0); <br>
ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL); <br>
<br>
<br>
</blockquote>
main difference between the OPENSSL.EXE example and your code is
that last call: <br>
<br>
here's wat "ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL)"
does: <br>
<br>
<br>
int ENGINE_set_default(ENGINE *e, unsigned int flags) <br>
{ <br>
if ((flags & ENGINE_METHOD_CIPHERS) &&
!ENGINE_set_default_ciphers(e)) <br>
return 0; <br>
if ((flags & ENGINE_METHOD_DIGESTS) &&
!ENGINE_set_default_digests(e)) <br>
return 0; <br>
#ifndef OPENSSL_NO_RSA <br>
if ((flags & ENGINE_METHOD_RSA) &&
!ENGINE_set_default_RSA(e)) <br>
return 0; <br>
#endif <br>
#ifndef OPENSSL_NO_DSA <br>
if ((flags & ENGINE_METHOD_DSA) &&
!ENGINE_set_default_DSA(e)) <br>
return 0; <br>
#endif <br>
#ifndef OPENSSL_NO_DH <br>
if ((flags & ENGINE_METHOD_DH) &&
!ENGINE_set_default_DH(e)) <br>
return 0; <br>
#endif <br>
#ifndef OPENSSL_NO_ECDH <br>
if ((flags & ENGINE_METHOD_ECDH) &&
!ENGINE_set_default_ECDH(e)) <br>
return 0; <br>
#endif <br>
#ifndef OPENSSL_NO_ECDSA <br>
if ((flags & ENGINE_METHOD_ECDSA) &&
!ENGINE_set_default_ECDSA(e)) <br>
return 0; <br>
#endif <br>
if ((flags & ENGINE_METHOD_RAND) &&
!ENGINE_set_default_RAND(e)) <br>
return 0; <br>
if ((flags & ENGINE_METHOD_PKEY_METHS) <br>
&& !ENGINE_set_default_pkey_meths(e)) <br>
return 0; <br>
if ((flags & ENGINE_METHOD_PKEY_ASN1_METHS) <br>
&& !ENGINE_set_default_pkey_asn1_meths(e)) <br>
return 0; <br>
return 1; <br>
} <br>
<br>
(from the openssl 1.0.2 source tree) <br>
It could be that one of those methods is not throwing the errors
with your smart card. <br>
I'd advise you to test your smart card capabilities . It might
also be useful to do more command line testing with your
smartcard using <br>
<br>
engine -vvvv -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll" <br>
<br>
and then try out certain operations, like encrypt/decrypt or
simply use the command <br>
speed <br>
<br>
and watch for any errors - that should give you a hint which
method is not supported by your smart card. <br>
<br>
HTH, <br>
<br>
JJK <br>
<blockquote type="cite"> <br>
</blockquote>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>