Hi Jan,
Thanks for your response. It looks like I don't already have the PPP
and PPPD. Do I need to download and install the following?
https://github.com/jjkeijser/ppp/tree/eap-tls
I am using OpenSSL in Windows 10 and compiled it with Visual Studio
2019. Will this EAP-TLS code compile/work with Visual Studio in Windows?
Are there any other ways to get the Smart Card to work without needing
to install additional software?
Thanks!
George
On 2020-12-14 3:51 a.m., Jan Just Keijser wrote:
Hi,
On 14/12/20 08:08, George wrote:
Hi,
I'm new to OpenSSL and am trying to set up mutual authentication
in a client. The client is setup with OpenSSL 1.0.2u. and the
client's certificate + private key is stored on a Smart Card. When
the client receives a certificate request from the server during the
mutual authentication handshake, the OpenSSL /client_cert_cb/
callback function is automatically invoked. The problem is that
/client_cert_cb/ requires a private key. Unfortunately, it is not
possible to get a private key from a Smart Card. Is there a way to
send a certificate to the server without needing the private key?
I'm setting up the callback function with:
void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int
(*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
Here is a sample of what my code looks like when I set this up:
SSL_CTX_set_client_cert_cb(context,
*openSSLClientAuthenticationCallBack*);
int *openSSLClientAuthenticationCallBack*(SSL *ssl, X509 **x509,
EVP_PKEY **pkey)
{
. . .
}
I can access the Smart Card using the PKCS#11 interface and I'm able
to get the certificate and sign it, etc. However, I cannot get the
actual private key from the Smart Card.
Does anyone know how I can get around this problem?
to use a pkcs#11 smartcard you normally use the OpenSSL pkcs11 engine
; you then do something like:
engine_name = "pkcs11";
ENGINE_register_all_complete();
pkey_engine = ENGINE_by_id( "dynamic" );
if (pkey_engine)
{
if (!ENGINE_ctrl_cmd_string(pkey_engine, "SO_PATH",
engine_name, 0)
|| !ENGINE_ctrl_cmd_string(pkey_engine, "LOAD", NULL, 0))
{
warn( "EAP-TLS: Error loading dynamic engine '%s'",
engine_name );
log_ssl_errors();
ENGINE_free(e);
pkey_engine = NULL;
}
}
}
if (pkey_engine)
{
if(!ENGINE_set_default(pkey_engine, ENGINE_METHOD_ALL))
}
pkey_engine = eaptls_ssl_load_engine( "pkcs11" );
pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier,
transfer_pin, &cb_data);
SSL_CTX_use_PrivateKey(ctx, pkey);
where "transfer_pin" is a callback UI function to query the user for
the pkcs11 device password.
More detailed code can be found in my pppd EAP-TLS patch, file
eap-tls.c at
https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c
(and search for pkey_engine)
HTH,
JJK
