<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi,<br>
<br>
I have been trying to setup mutual authentication using a smart
card but I can't seem to get the OpenSSL Engine to send a response
back to the server containing client's certificate from the smart
card. <br>
<br>
I'm using the following to configure the certificate and private
key:<br>
<br>
ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &cert_info,
NULL, 0);<br>
SSL_CTX_use_certificate(sslContext, cert_info.cert);<br>
<br>
EVP_PKEY* privateKey = ENGINE_load_private_key(engine,
"2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba",
transfer_pin, &cb_data);<br>
SSL_CTX_use_PrivateKey(sslContext, privateKey);<br>
<br>
(I have been using the code in
<a class="moz-txt-link-freetext" href="https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c">https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c</a> as a
guide.)<br>
<br>
This seems be successful. However, when I start the mutual
authentication with <br>
SSL_connect(ssl)<br>
, the mutual authentications handshake fails. I can see the server
requesting the certificate from the client and the client sends
back an ACK for this message. However, the client does not send
the certificate to the server.<br>
<br>
I was looking through the OpenSSL code
openssl-1.0.2u\ssl\ssl_rsa.c and noticed something interesting.
The comment indicates that the flag <b>RSA_METHOD_FLAG_NO_CHECK</b>
should be set for smart cards:<br>
<br>
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)<br>
{<br>
. . .<br>
#ifndef OPENSSL_NO_RSA<br>
<b> /*</b><b><br>
</b><b> * Don't check the public/private key, this is
mostly for smart</b><b><br>
</b><b> * cards.</b><b><br>
</b><b> */</b><br>
if ((pkey->type == EVP_PKEY_RSA) &&<br>
(RSA_flags(pkey->pkey.rsa) &
RSA_METHOD_FLAG_NO_CHECK)) ;<br>
else<br>
#endif<br>
. . .<br>
}<br>
<br>
However, it is not actually set when I use a debugger to inspect
the flag. Does it need to be set? If so, how is this done? I could
not find anything related to this in <br>
<a class="moz-txt-link-freetext" href="https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c">https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c</a><br>
<br>
<br>
<br>
<br>
Thanks,<br>
George<br>
<br>
<br>
On 2021-01-05 11:51 a.m., Jan Just Keijser wrote:<br>
</div>
<blockquote type="cite"
cite="mid:640febc7-2499-2284-6625-b7a899ad66ea@nikhef.nl">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 05/01/21 07:39, George wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1b20aba6-b88f-2ee1-af0d-23ae19c0746f@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
I was looking at the code in <font face="monospace"><a
class="moz-txt-link-freetext"
href="https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c"
moz-do-not-send="true">https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c</a></font>
and realized I forgot to call ENGINE_ctrl_cmd(...) to setup
"LOAD_CERT_CTRL". However, when I do this, the callback
function is no longer being called during the mutual
authentication handshake. I'm wondering if I have the
parameter "cert_info.s_slot_cert_id" incorrectly configured.
Here is what my code looks like:<br>
<br>
<blockquote><font face="monospace">struct</font><br>
<font face="monospace">{</font><br>
<font face="monospace"> const char* s_slot_cert_id;</font><br>
<font face="monospace"> X509* cert;</font><br>
<font face="monospace">} cert_info;<br>
</font><font face="monospace"><b>cert_info.s_slot_cert_id =
"a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45";</b></font><br>
<font face="monospace">cert_info.cert = NULL;</font><br>
<br>
<font face="monospace"><b>ENGINE_ctrl_cmd(engine,
"LOAD_CERT_CTRL", 0, &cert_info, NULL, 0);</b></font><br>
<b><font face="monospace">SSL_CTX_use_certificate(sslContext,
cert_info.cert);</font></b><br>
</blockquote>
<br>
I tried manually using LOAD_CERT_CTRL in the openssl shell but
I cannot seem to get it to work and cannot find any examples
of how to use it. Is the syntax for <font face="monospace"><b>LOAD_CERT_CTRL</b>
correct? I am using<b> </b></font><font face="monospace"><b>"LOAD_CERT_CTRL:<certificate
Object ID>".</b></font><br>
<br>
<blockquote><font face="monospace">OpenSSL> engine -vvvv -t
dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll" -pre PIN:123456 -pre
FORCE_LOGIN <b>-pre
"LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45"<br>
<br>
</b></font><font face="monospace">(dynamic) Dynamic engine
loading support</font><br>
<font face="monospace">[Success]:
SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll</font><br>
<font face="monospace">[Success]: ID:pkcs11</font><br>
<font face="monospace">[Success]: LIST_ADD:1</font><br>
<font face="monospace">[Success]: LOAD</font><br>
<font face="monospace">[Success]: MODULE_PATH:C:\Program
Files (x86)\HID Global\ActivClient\\acpkcs211.dll</font><br>
<font face="monospace">[Success]: PIN:123456</font><br>
<font face="monospace">[Success]: FORCE_LOGIN</font><br>
<b><font face="monospace">[Failure]:
LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45</font></b><b><br>
</b><b><font face="monospace">4196:error:260AB086:engine
routines:ENGINE_ctrl_cmd_string:cmd not
executable:.\crypto\engine\eng_ctrl.c:316:</font></b><br>
<font face="monospace">Loaded: (pkcs11) pkcs11 engine</font><br>
<font face="monospace"> [ available ]</font><br>
<font face="monospace"> SO_PATH: Specifies the path to
the 'pkcs11' engine shared library</font><br>
<font face="monospace"> (input flags): STRING</font><br>
<font face="monospace"> MODULE_PATH: Specifies the path
to the PKCS#11 module shared library</font><br>
<font face="monospace"> (input flags): STRING</font><br>
<font face="monospace"> PIN: Specifies the pin code</font><br>
<font face="monospace"> (input flags): STRING</font><br>
<font face="monospace"> VERBOSE: Print additional
details</font><br>
<font face="monospace"> (input flags): NO_INPUT</font><br>
<font face="monospace"> QUIET: Remove additional details</font><br>
<font face="monospace"> (input flags): NO_INPUT</font><br>
<font face="monospace"> <b>LOAD_CERT_CTRL: Get the
certificate from card</b></font><b><br>
</b><b><font face="monospace"> (input flags):
[Internal]</font></b><br>
<font face="monospace"> INIT_ARGS: Specifies additional
initialization arguments to the PKCS#11 module</font><br>
<font face="monospace"> (input flags): STRING</font><br>
<font face="monospace"> SET_USER_INTERFACE: Set the
global user interface (internal)</font><br>
<font face="monospace"> (input flags): [Internal]</font><br>
<font face="monospace"> SET_CALLBACK_DATA: Set the
global user interface extra data (internal)</font><br>
<font face="monospace"> (input flags): [Internal]</font><br>
<font face="monospace"> FORCE_LOGIN: Force login to the
PKCS#11 module</font><br>
<font face="monospace"> (input flags): NO_INPUT</font><br>
<font face="monospace">OpenSSL></font><br>
</blockquote>
<br>
I'm using the certificate object ID
"a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45"
for LOAD_CERT_CTRL. Is this right? (I also tried adding "0:"
in front of it to indicate slot 0, but that did not work
either.<br>
</div>
</blockquote>
<br>
<br>
this has little to do with OpenSSL at the moment and more with
libp11 - perhaps someone more knowledgable on the libp11 mailing
list can help you. <br>
<br>
I'd try to use <br>
-post LOAD_CERT_CTRL<br>
instead of '-pre', as you want this done after the engine has been
loaded.<br>
<br>
The cert ID does look OK. Note that if you want to use the
s_client command that you canNOT specify the certificate form
'-certform engine' as the code does not grok that.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</blockquote>
<br>
</body>
</html>