Re: openssl error while retreaving key from smartcard from wpa_supplicant?
En/na Nils Larsch ha escrit: Carles Fernandez i Julia wrote: ... That's the point : I have the private key certificate stored in the smartcard, not located in a plain file. That's why I commented the line above. the engine doesn't support using certificates stored on smart cards (and I don't even think that this extremly useful). But this engine, pkcs11-opensc, is designed to do this (using certificates on smartcards). Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- .. __ / / Carles Fernàndez C E / S / C A Dept. de Comunicacions /_/Centre de Supercomputació de Catalunya Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona T. 93 205 6464 · F. 93 205 6979 · [EMAIL PROTECTED] .. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl error while retreaving key from smartcard from wpa_supplicant?
En/na Marek Marcola ha escrit: Hello, I'm currently trying to authenticate using EAP-TLS using smartcard with wpa_supplicant and I get this error: OpenSSL: tls_connection_engine_private_key - Private key failed verification error:140A30B1:SSL routines:SSL_check_private_key:no certificate assigned I got some messages Error: can't open /var/run/openct/status: No such file or directory but I get these messages always when I use my smartcard reader (and it works). Looks like you have not configured X509 private key certificate. plain text document attachment (wpa_supplicant.conf) ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 eapol_version=1 fast_reauth=1 pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so pkcs11_module_path=/usr/lib/opensc-pkcs11.so network={ ssid=* key_mgmt=WPA-EAP eap=TLS proto=WPA pairwise=TKIP group=TKIP identity=[EMAIL PROTECTED] ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt #client_cert=/etc/cert/user.pem I'm not sure but this maybe the place to configure certificate. You should have your private key certificate. This certificate may be located in plain file. To check that your certificate certifies proper private key you may do something like that (test example): That's the point : I have the private key certificate stored in the smartcard, not located in a plain file. That's why I commented the line above. $ openssl rsa -engine chil -in rsa-test2 -inform engine -modulus -noout engine chil set. Modulus=D14731D19EF32A3D458EE61B219A0E019... $ openssl x509 -in rsa-test2-crt.pem -modulus -noout Modulus=D14731D19EF32A3D458EE61B219A0E019 and you should get the same numbers. I've tried in all ways to try this with the pkcs11 module to use my smartcard to do the test but I didn't reach. Maybe the structure is different when not operating with files. Best regards, Thank you for your effort! -- .. __ / / Carles Fernàndez C E / S / C A Dept. de Comunicacions /_/Centre de Supercomputació de Catalunya Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona T. 93 205 6464 · F. 93 205 6979 · [EMAIL PROTECTED] .. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl error while retreaving key from smartcard from wpa_supplicant?
Hi I'm currently trying to authenticate using EAP-TLS using smartcard with wpa_supplicant and I get this error: OpenSSL: tls_connection_engine_private_key - Private key failed verification error:140A30B1:SSL routines:SSL_check_private_key:no certificate assigned I got some messages Error: can't open /var/run/openct/status: No such file or directory but I get these messages always when I use my smartcard reader (and it works). I've googled and i got nothing useful. Any idea? ps: I've ***ed personal data from attached files thanks, Carles ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 eapol_version=1 fast_reauth=1 pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so pkcs11_module_path=/usr/lib/opensc-pkcs11.so network={ ssid=* key_mgmt=WPA-EAP eap=TLS proto=WPA pairwise=TKIP group=TKIP identity=[EMAIL PROTECTED] ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt #client_cert=/etc/cert/user.pem # scan_ssid=1 engine=1 # The engine configured here must be available. Look at # OpenSSL engine support in the global section. # The key available through the engine must be the private key # matching the client certificate configured above. # use the opensc engine #engine_id=opensc #key_id=45 # use the pkcs11 engine engine_id=pkcs11 key_id=e451d1d1197caf4c74c33d9143986a28c9c34a55 # Optional PIN configuration; this can be left out and PIN will be # asked through the control interface pin= } [EMAIL PROTECTED]:~$ sudo wpa_supplicant -D wext -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -ddd Initializing interface 'eth1' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'wext' ctrl_interface 'N/A' bridge 'N/A' Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' - '/etc/wpa_supplicant/wpa_supplicant.conf' Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' ctrl_interface='/var/run/wpa_supplicant' ctrl_interface_group='0' (DEPRECATED) eapol_version=1 fast_reauth=1 pkcs11_engine_path='/usr/lib/engines/engine_pkcs11.so' pkcs11_module_path='/usr/lib/opensc-pkcs11.so' Line: 17 - start of a new network block ssid - hexdump_ascii(len=7): ** ** ** ** ** * key_mgmt: 0x1 eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 proto: 0x1 pairwise: 0x8 group: 0x8 identity - hexdump_ascii(len=40): ** ** ** ** ** *** ** ** *** ca_cert - hexdump_ascii(len=48): 2f 65 74 63 2f 77 70 61 5f 73 75 70 70 6c 69 63 /etc/wpa_supplic 61 6e 74 2f 43 41 5f 43 41 54 43 65 72 74 50 50 ant/CA_CATCertPP 5f 47 6c 6f 62 61 6c 54 72 75 73 74 2e 63 72 74 _GlobalTrust.crt engine=1 (0x1) engine_id - hexdump_ascii(len=6): 70 6b 63 73 31 31 pkcs11 key_id - hexdump_ascii(len=40): 65 34 35 31 64 31 64 31 31 39 37 63 61 66 34 63 e451d1d1197caf4c 37 34 63 33 33 64 39 31 34 33 39 38 36 61 32 38 74c33d9143986a28 63 39 63 33 34 61 35 35 c9c34a55 pin - hexdump_ascii(len=4): [REMOVED] Priority group 0 id=0 ssid='***' Initializing interface (2) 'eth1' ENGINE: Loading dynamic engine ENGINE: Loading pkcs11 Engine from /usr/lib/engines/engine_pkcs11.so ENGINE: 'SO_PATH' '/usr/lib/engines/engine_pkcs11.so' ENGINE: 'ID' 'pkcs11' ENGINE: 'LIST_ADD' '1' ENGINE: 'LOAD' '(null)' ENGINE: 'MODULE_PATH' '/usr/lib/opensc-pkcs11.so' EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 SIOCGIWRANGE: WE(compiled)=21 WE(source)=16 enc_capa=0xf capabilities: key_mgmt 0xf enc 0xf WEXT: Operstate: linkmode=1, operstate=5 Own MAC address: 00:13:02:61:79:24 wpa_driver_wext_set_wpa wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0 wpa_driver_wext_set_countermeasures wpa_driver_wext_set_drop_unencrypted Setting scan request: 0 sec 10 usec ctrl_interface_group=0 Added interface eth1 RTM_NEWLINK: operstate=0 ifi_flags=0x1002 () Wireless event: cmd=0x8b06 len=8 RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP]) RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added State: DISCONNECTED - SCANNING Starting AP scan (broadcast SSID) Trying to get current scan results first without requesting a new scan to speed up initial association Received 1539 bytes of scan results (7 BSSes) Scan results: 7 Selecting BSS from priority group 0 0: