<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi,<br>
<br>
I was looking at the code in <font face="monospace"><a class="moz-txt-link-freetext" href="https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c">https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c</a></font>
and realized I forgot to call ENGINE_ctrl_cmd(...) to setup
"LOAD_CERT_CTRL". However, when I do this, the callback function
is no longer being called during the mutual authentication
handshake. I'm wondering if I have the parameter
"cert_info.s_slot_cert_id" incorrectly configured. Here is what my
code looks like:<br>
<br>
<blockquote><font face="monospace">struct</font><br>
<font face="monospace">{</font><br>
<font face="monospace"> const char* s_slot_cert_id;</font><br>
<font face="monospace"> X509* cert;</font><br>
<font face="monospace">} cert_info;<br>
</font><font face="monospace"><b>cert_info.s_slot_cert_id =
"a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45";</b></font><br>
<font face="monospace">cert_info.cert = NULL;</font><br>
<br>
<font face="monospace"><b>ENGINE_ctrl_cmd(engine,
"LOAD_CERT_CTRL", 0, &cert_info, NULL, 0);</b></font><br>
<b><font face="monospace">SSL_CTX_use_certificate(sslContext,
cert_info.cert);</font></b><br>
</blockquote>
<br>
I tried manually using LOAD_CERT_CTRL in the openssl shell but I
cannot seem to get it to work and cannot find any examples of how
to use it. Is the syntax for <font face="monospace"><b>LOAD_CERT_CTRL</b>
correct? I am using<b> </b></font><font face="monospace"><b>"LOAD_CERT_CTRL:<certificate
Object ID>".</b></font><br>
<br>
<blockquote><font face="monospace">OpenSSL> engine -vvvv -t
dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll" -pre PIN:123456 -pre
FORCE_LOGIN <b>-pre
"LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45"<br>
<br>
</b></font><font face="monospace">(dynamic) Dynamic engine
loading support</font><br>
<font face="monospace">[Success]:
SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll</font><br>
<font face="monospace">[Success]: ID:pkcs11</font><br>
<font face="monospace">[Success]: LIST_ADD:1</font><br>
<font face="monospace">[Success]: LOAD</font><br>
<font face="monospace">[Success]: MODULE_PATH:C:\Program Files
(x86)\HID Global\ActivClient\\acpkcs211.dll</font><br>
<font face="monospace">[Success]: PIN:123456</font><br>
<font face="monospace">[Success]: FORCE_LOGIN</font><br>
<b><font face="monospace">[Failure]:
LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45</font></b><b><br>
</b><b><font face="monospace">4196:error:260AB086:engine
routines:ENGINE_ctrl_cmd_string:cmd not
executable:.\crypto\engine\eng_ctrl.c:316:</font></b><br>
<font face="monospace">Loaded: (pkcs11) pkcs11 engine</font><br>
<font face="monospace"> [ available ]</font><br>
<font face="monospace"> SO_PATH: Specifies the path to the
'pkcs11' engine shared library</font><br>
<font face="monospace"> (input flags): STRING</font><br>
<font face="monospace"> MODULE_PATH: Specifies the path to
the PKCS#11 module shared library</font><br>
<font face="monospace"> (input flags): STRING</font><br>
<font face="monospace"> PIN: Specifies the pin code</font><br>
<font face="monospace"> (input flags): STRING</font><br>
<font face="monospace"> VERBOSE: Print additional details</font><br>
<font face="monospace"> (input flags): NO_INPUT</font><br>
<font face="monospace"> QUIET: Remove additional details</font><br>
<font face="monospace"> (input flags): NO_INPUT</font><br>
<font face="monospace"> <b>LOAD_CERT_CTRL: Get the
certificate from card</b></font><b><br>
</b><b><font face="monospace"> (input flags):
[Internal]</font></b><br>
<font face="monospace"> INIT_ARGS: Specifies additional
initialization arguments to the PKCS#11 module</font><br>
<font face="monospace"> (input flags): STRING</font><br>
<font face="monospace"> SET_USER_INTERFACE: Set the global
user interface (internal)</font><br>
<font face="monospace"> (input flags): [Internal]</font><br>
<font face="monospace"> SET_CALLBACK_DATA: Set the global
user interface extra data (internal)</font><br>
<font face="monospace"> (input flags): [Internal]</font><br>
<font face="monospace"> FORCE_LOGIN: Force login to the
PKCS#11 module</font><br>
<font face="monospace"> (input flags): NO_INPUT</font><br>
<font face="monospace">OpenSSL></font><br>
</blockquote>
<br>
I'm using the certificate object ID
"a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45"
for LOAD_CERT_CTRL. Is this right? (I also tried adding "0:" in
front of it to indicate slot 0, but that did not work either.<br>
<br>
<blockquote><font face="monospace">C:\Program Files\OpenSC
Project\OpenSC\tools>pkcs11-tool --module="C:\Program
Files\HID Global\ActivClient/acpkcs211.dll" -l -O</font><br>
<font face="monospace">Using slot 0 with a present token (0x0)</font><br>
<font face="monospace">.</font><br>
<font face="monospace">.</font><br>
<font face="monospace">.</font><br>
<font face="monospace">Certificate Object; type = X.509 cert</font><br>
<font face="monospace"> label: Card Authentication -
PIVKey E7F4FBE4644BA647ADDBE261BE596757</font><br>
<font face="monospace"> subject: DN: CN=PIVKey
E7F4FBE4644BA647ADDBE261BE596757</font><br>
<font face="monospace"> <b>ID:
a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45</b></font><br>
</blockquote>
<br>
<br>
<br>
Thanks,<br>
George<br>
<br>
<br>
On 2020-12-23 6:00 a.m., Jan Just Keijser wrote:<br>
</div>
<blockquote type="cite"
cite="mid:471b029c-420c-e45e-d827-ba0576f22847@nikhef.nl">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 20/12/20 09:39, George wrote:<br>
</div>
<blockquote type="cite"
cite="mid:3e6e027f-812a-ea2d-2d2e-435ad52852b1@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
I tried running the "s_client" command and it appears to be
working.<br>
<br>
I guess there must be something wrong in my code.<br>
</div>
</blockquote>
<br>
it is good news that the s_client command is working - it means
there is something wrong with your code but you have everything at
hand to fix it: download the openssl 1.0.2 tarball / zip file and
look for the files<br>
apps/s_client.c<br>
apps/apps.c <br>
<br>
that contains all of the code that the 's_client' command uses to
make a connection and my bet is that is also does not call
ENGINE_init<br>
<blockquote type="cite"
cite="mid:3e6e027f-812a-ea2d-2d2e-435ad52852b1@gmail.com">
<div class="moz-cite-prefix"> My crash occurs when I call<br>
<blockquote><font face="monospace">ENGINE_init(pkey_engine);</font><br>
</blockquote>
I notice your code does not call this function. Is this
needed needed? If so, when/where should it be called? <br>
<br>
</div>
</blockquote>
tbh, I don't know - look through the openssl sources to see what
it does, exactly.<br>
<br>
<blockquote type="cite"
cite="mid:3e6e027f-812a-ea2d-2d2e-435ad52852b1@gmail.com">
<div class="moz-cite-prefix"> What exactly is the definition of
"pkey_identifier" in <font face="monospace"><br>
</font>
<blockquote><font face="monospace">ENGINE_load_private_key(pkey_engine,
<b>pkey_identifier</b>, transfer_pin, &cb_data) </font>?
<br>
</blockquote>
<br>
I'm not clear on what this value should be. Can you give an
example of what it would look like?<br>
<br>
I have the following on my smart card:<br>
<blockquote>Private Key Object; RSA<br>
label: Authentication - *<br>
<b> ID:</b><b>
2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba</b><br>
Usage: unwrap<br>
Access: sensitive, never extractable<br>
Allowed mechanisms: RSA-PKCS,RSA-X-509<br>
</blockquote>
<br>
Would the <font face="monospace"><b>pkey_identifier</b></font>
be the <b>ID</b> in the above?<br>
<br>
</div>
</blockquote>
yes, although if you have multiple smartcards inserted at the same
time then it helps to add the slot number, e.g.<br>
0:<ID><br>
<br>
<br>
<blockquote type="cite"
cite="mid:3e6e027f-812a-ea2d-2d2e-435ad52852b1@gmail.com">
<div class="moz-cite-prefix"> <br>
What exactly is "prompt_info" in the structure PW_CB_DATA?<br>
i.e.<br>
<font face="monospace">typedef struct pw_cb_data {<br>
const void* password;<br>
const char* <b>prompt_info;</b><br>
} PW_CB_DATA;</font><br>
Can you give an example of what it might look like?<br>
<br>
Is the value of cb_data populated by the <font
face="monospace">transfer_pin </font>callback functions, or
should it already contain a value when <font
face="monospace">ENGINE_load_private_key</font> is called?<br>
<br>
Is there a way to skip the callback transfer_pin and use a
hard coded pin for test purposes when calling <font
face="monospace">ENGINE_load_private_key(...)?</font><br>
<br>
</div>
</blockquote>
my eap-tls code does just that: if the password is specified in
the ppp config file then the user is not prompted:<br>
<br>
if (pkey_engine)<br>
{ <br>
EVP_PKEY *pkey = NULL;<br>
PW_CB_DATA cb_data;<br>
UI_METHOD* transfer_pin = NULL;<br>
<br>
cb_data.password = passwd;<br>
cb_data.prompt_info = pkey_identifier;<br>
<br>
<br>
HTH,<br>
<br>
JJK<br>
<blockquote type="cite"
cite="mid:3e6e027f-812a-ea2d-2d2e-435ad52852b1@gmail.com">
<div class="moz-cite-prefix"> <br>
On 2020-12-19 8:05 p.m., Jan Just Keijser wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e8d14828-97aa-a1ee-52e2-36e124978cc6@nikhef.nl">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<br>
I'd say no engine/pkcs11 module should trigger exceptions -
that's an error in the pkcs11 module.<br>
<br>
Something you can try is this:<br>
<br>
run the 'openssl.exe' command:<br>
<br>
openssl engine -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll" <br>
<br>
then on the OpenSSL prompt , try<br>
<br>
s_client -keyform engine -key 0:<key-id> -cert
"clientcert.pem" -connect remote_host:remote_port<br>
<br>
that should start a TLS connection and use the pcks11 engine
to ask for the key , identified by <key-id> in slot 0
(adjust the slot number if your smart card starts at number 1
etc.<br>
<br>
HTH,<br>
<br>
JJK <br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>