<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">I found out what my problem is! I'm
running it in FIPS mode and this causes the PKCS11 engine to fail
during mutual authentication. I eventually traced the problem to
the following issue:<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=1827535">https://bugzilla.redhat.com/show_bug.cgi?id=1827535</a><br>
<br>
It looks like there is a bug in libp11. Once I made the suggested
workaround, it worked. <br>
My original code, which is based on <br>
<a class="moz-txt-link-freetext" href="https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c">https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c</a><br>
worked perfectly after I added in the libp11 fix. :)<br>
<br>
<br>
Thanks!<br>
George<br>
<br>
<br>
On 2021-01-11 11:01 a.m., Jan Just Keijser wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1b5335f6-0350-1acc-e019-cc58f50f5043@nikhef.nl">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 08/01/21 22:35, George wrote:<br>
</div>
<blockquote type="cite"
cite="mid:95f017bb-6946-f37d-e585-05367f0e2da7@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
I have been trying to setup mutual authentication using a
smart card but I can't seem to get the OpenSSL Engine to send
a response back to the server containing client's certificate
from the smart card. <br>
<br>
I'm using the following to configure the certificate and
private key:<br>
<br>
ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0,
&cert_info, NULL, 0);<br>
SSL_CTX_use_certificate(sslContext, cert_info.cert);<br>
<br>
EVP_PKEY* privateKey = ENGINE_load_private_key(engine,
"2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba",
transfer_pin, &cb_data);<br>
SSL_CTX_use_PrivateKey(sslContext, privateKey);<br>
<br>
(I have been using the code in <a
class="moz-txt-link-freetext"
href="https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c"
moz-do-not-send="true">https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c</a>
as a guide.)<br>
<br>
This seems be successful. However, when I start the mutual
authentication with <br>
SSL_connect(ssl)<br>
, the mutual authentications handshake fails. I can see the
server requesting the certificate from the client and the
client sends back an ACK for this message. However, the client
does not send the certificate to the server.<br>
<br>
I was looking through the OpenSSL code
openssl-1.0.2u\ssl\ssl_rsa.c and noticed something
interesting. The comment indicates that the flag <b>RSA_METHOD_FLAG_NO_CHECK</b>
should be set for smart cards:<br>
<br>
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)<br>
{<br>
. . .<br>
#ifndef OPENSSL_NO_RSA<br>
<b> /*</b><b><br>
</b><b> * Don't check the public/private key, this is
mostly for smart</b><b><br>
</b><b> * cards.</b><b><br>
</b><b> */</b><br>
if ((pkey->type == EVP_PKEY_RSA) &&<br>
(RSA_flags(pkey->pkey.rsa) &
RSA_METHOD_FLAG_NO_CHECK)) ;<br>
else<br>
#endif<br>
. . .<br>
}<br>
<br>
However, it is not actually set when I use a debugger to
inspect the flag. Does it need to be set? If so, how is this
done? I could not find anything related to this in <br>
<a class="moz-txt-link-freetext"
href="https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c"
moz-do-not-send="true">https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c</a><br>
</div>
</blockquote>
<br>
<br>
if you read through the code blob that Michael pointed you to, you
will find that this flag needs to be set *under certain
circumstances* when using smartcards. It has to do mostly with the
situation where<br>
- private key is on the smart card<br>
- the public key/certificate is NOT on the smart card<br>
- you ask OpenSSL to verify the private key without explicitly
providing a public key.<br>
<br>
I've never run into this issue, but then again, I have not tested
very often the case where the certificate was not present on the
HSM/smart card but the private key is. YMMV.<br>
<br>
As for using pksc11helper versus using libp11: that is just a
matter of taste. I used the engine_pkcs11 + libp11 route for the
eap-tls code , mostly because it was the first "working" set of
tools I found at the time.<br>
<br>
You can also take the "pkcs11helper" route, which is what OpenVPN
does (see <a class="moz-txt-link-freetext"
href="https://github.com/openvpn" moz-do-not-send="true">https://github.com/openvpn</a>).
Both methods have pro's and con's. <br>
<br>
Do you run into problems if you DO not set the
RSA_METHOD_FLAG_NO_CHECK flag? All that flag does is to stop
OpenSSL from verifying that a public key/cert and private key
match/belong together for RSA keys only; if your smartcard
supports EC keys then this flag will do you no good.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</blockquote>
<br>
</body>
</html>