On 12/20/2012 7:54 AM, Matthew Zimmerman wrote: > I'm trying to debug an SSL connection to a webserver utilizing my PIV > Authentication Certificate and the associated private key on my card > and I believe I've found a bug in mechanism.c > > I *think* I'm doing everything correctly, although documentation on > the engine in openssl are *very* sparse. Here's how I'm setting up > the connection. > > openssl > engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre > ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre > MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE > s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -cert > pivauth.crt -certform PEM -key 1:01 -keyform engine -prexit > > According to the opensc tools, my card is in slot 1 and my key is id > 01. I'm fairly certain I'm using the -key and -keyform parameters > correctly but I'm not sure of -cert and -certform. Should I instead > be telling openssl how to pull the cert from my card instead of the > local file (which corresponds with the key?) How do I do that? (I've > tried a few ways.)
The OpenSC engine can pull the cert from the card, but it looks like the OpenSSL c_client does not support using an engine for the cert. It calls load_cert. Look at the load_cert (vs the load_key) routines in the OpenSSL src/apps/apps.c It does not recognize FORMAT_ENGINE. So you have to get the cert off the card in a separate step: pkcs15-tool -r 01 > cert.01.pem For the -key parameter, I have always used slot_1-id_01 for the auth cert. I had not looked to see if 1:01 works too. An examples: openssl << EOT engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:$OPENSC_PATH/opensc-pkcs11.so dgst -engine pkcs11 -keyform engine -sign slot_1-id_02 -c -out /tmp/test.ec.sig.out fake.ec.key/ec.msg.txt EOT > > This will prompt me for my pin, but then segfaults on line 428 of > mechanism.c -- seemingly data is pointing to an address but has no > member buffer_len (this could be wrong, my c and gdb experience is > highly lacking) > > Found slot: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00 > Found token: PIV_II (PIV Card Holder pin) > Found 4 certificates: > 1 Certificate for PIV Authentication > 2 Certificate for Digital Signature > 3 Certificate for Key Management > 4 Certificate for Card Authentication > PKCS#11 token PIN: > Found 4 keys: > 1 P PIV AUTH key > 2 P SIGN key > 3 P KEY MAN key > 4 P CARD AUTH key > > Program received signal SIGSEGV, Segmentation fault. > 0x00002aaaac155660 in sc_pkcs11_signature_final (operation=0x6cb7d0, > pSignature=0x7fffffffda30 "", pulSignatureLen=0x0) at mechanism.c:428 > 428 sc_log(context, "data length %li", data->buffer_len); > (gdb) print data > $1 = (struct signature_data *) 0x30 > (gdb) print data->buffer_len > Cannot access memory at address 0x248 > (gdb) backtrace > #0 0x00002aaaac155660 in sc_pkcs11_signature_final > (operation=0x6cb7d0, pSignature=0x7fffffffda30 "", > pulSignatureLen=0x0) at mechanism.c:428 > #1 0x00002aaaab036e3d in look_str_cb () from /usr/lib/libcrypto.so.1.0.0 > #2 0x00002aaaab04722c in lh_doall_arg () from /usr/lib/libcrypto.so.1.0.0 > #3 0x00002aaaab03565c in engine_table_doall () from > /usr/lib/libcrypto.so.1.0.0 > #4 0x00002aaaab037203 in ENGINE_pkey_asn1_find_str () from > /usr/lib/libcrypto.so.1.0.0 > #5 0x00002aaaab071fa3 in EVP_PKEY_asn1_find_str () from > /usr/lib/libcrypto.so.1.0.0 > #6 0x00002aaaaad179d7 in ssl_create_cipher_list () from > /usr/lib/libssl.so.1.0.0 > #7 0x00002aaaaad10964 in SSL_CTX_new () from /usr/lib/libssl.so.1.0.0 > #8 0x000000000043d07e in ?? () > #9 0x0000000000419587 in ?? () > #10 0x000000000041927d in ?? () > #11 0x00002aaaab363725 in __libc_start_main () from /usr/lib/libc.so.6 > #12 0x000000000041934d in ?? () > #13 0x00007fffffffe598 in ?? () > #14 0x0000000000000000 in ?? () > > Thanks for any advice/patches/help :) > Matt > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
