Re: [opensc-devel] Openssl pkcs11-engine using s_client with PIV card

2012-12-20 Thread Matthew Zimmerman 
Doug, thanks, I got it working now.  Turns out it was the -t I was
throwing to the openssl engine command... I don't know where I saw
that or what it even does, but if I don't use it there's no segfault
and the connection succeeds!  Now to figure out what's different in
the TLS/SSL libraries that both Chromium and Firefox fail...

engine - dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE

s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -state
-cert cert.01.pem -key 1:01 -keyform engine

On Thu, Dec 20, 2012 at 10:58 AM, Douglas E. Engert  wrote:
> The OpenSC engine can pull the cert from the card, but it looks like
> the OpenSSL c_client does not support using an engine for the cert.
> It calls load_cert. Look at the load_cert (vs the load_key) routines
> in the OpenSSL src/apps/apps.c It does not recognize FORMAT_ENGINE.
Good to know as I kept thinking that it was where/how openssl was
getting the cert that was the issue.

> For the -key parameter, I have always used slot_1-id_01 for the auth cert.
> I had not looked to see if 1:01 works too.
I found that 1:01 works too!

Matt
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] Openssl pkcs11-engine using s_client with PIV card

2012-12-20 Thread Matthew Zimmerman 
I'm trying to debug an SSL connection to a webserver utilizing my PIV
Authentication Certificate and the associated private key on my card
and I believe I've found a bug in mechanism.c

I *think* I'm doing everything correctly, although documentation on
the engine in openssl are *very* sparse.  Here's how I'm setting up
the connection.

openssl
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE
s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -cert
pivauth.crt -certform PEM -key 1:01 -keyform engine -prexit

According to the opensc tools, my card is in slot 1 and my key is id
01.  I'm fairly certain I'm using the -key and -keyform parameters
correctly but I'm not sure of -cert and -certform.  Should I instead
be telling openssl how to pull the cert from my card instead of the
local file (which corresponds with the key?)  How do I do that?  (I've
tried a few ways.)

This will prompt me for my pin, but then segfaults on line 428 of
mechanism.c -- seemingly data is pointing to an address but has no
member buffer_len (this could be wrong, my c and gdb experience is
highly lacking)

Found slot:  Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
Found token: PIV_II (PIV Card Holder pin)
Found 4 certificates:
   1Certificate for PIV Authentication
   2Certificate for Digital Signature
   3Certificate for Key Management
   4Certificate for Card Authentication
PKCS#11 token PIN:
Found 4 keys:
   1 P  PIV AUTH key
   2 P  SIGN key
   3 P  KEY MAN key
   4 P  CARD AUTH key

Program received signal SIGSEGV, Segmentation fault.
0x2c155660 in sc_pkcs11_signature_final (operation=0x6cb7d0,
pSignature=0x7fffda30 "", pulSignatureLen=0x0) at mechanism.c:428
428  sc_log(context, "data length %li", data->buffer_len);
(gdb) print data
$1 = (struct signature_data *) 0x30
(gdb) print data->buffer_len
Cannot access memory at address 0x248
(gdb) backtrace
#0  0x2c155660 in sc_pkcs11_signature_final
(operation=0x6cb7d0, pSignature=0x7fffda30 "",
pulSignatureLen=0x0) at mechanism.c:428
#1  0x2b036e3d in look_str_cb () from /usr/lib/libcrypto.so.1.0.0
#2  0x2b04722c in lh_doall_arg () from /usr/lib/libcrypto.so.1.0.0
#3  0x2b03565c in engine_table_doall () from /usr/lib/libcrypto.so.1.0.0
#4  0x2b037203 in ENGINE_pkey_asn1_find_str () from
/usr/lib/libcrypto.so.1.0.0
#5  0x2b071fa3 in EVP_PKEY_asn1_find_str () from
/usr/lib/libcrypto.so.1.0.0
#6  0x2ad179d7 in ssl_create_cipher_list () from
/usr/lib/libssl.so.1.0.0
#7  0x2ad10964 in SSL_CTX_new () from /usr/lib/libssl.so.1.0.0
#8  0x0043d07e in ?? ()
#9  0x00419587 in ?? ()
#10 0x0041927d in ?? ()
#11 0x2b363725 in __libc_start_main () from /usr/lib/libc.so.6
#12 0x0041934d in ?? ()
#13 0x7fffe598 in ?? ()
#14 0x in ?? ()

Thanks for any advice/patches/help :)
Matt
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel