Re: openssl error while retreaving key from smartcard from wpa_supplicant?
En/na Nils Larsch ha escrit: Carles Fernandez i Julia wrote: ... That's the point : I have the private key certificate stored in the smartcard, not located in a plain file. That's why I commented the line above. the engine doesn't support using certificates stored on smart cards (and I don't even think that this extremly useful). But this engine, pkcs11-opensc, is designed to do this (using certificates on smartcards). Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- .. __ / / Carles Fernàndez C E / S / C A Dept. de Comunicacions /_/Centre de Supercomputació de Catalunya Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona T. 93 205 6464 · F. 93 205 6979 · [EMAIL PROTECTED] .. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl error while retreaving key from smartcard from wpa_supplicant?
En/na Marek Marcola ha escrit:
Hello,
I'm currently trying to authenticate using EAP-TLS using smartcard with
wpa_supplicant and I get this error:
OpenSSL: tls_connection_engine_private_key - Private key failed
verification error:140A30B1:SSL routines:SSL_check_private_key:no
certificate assigned
I got some messages Error: can't open /var/run/openct/status: No such
file or directory but I get these messages always when I use my
smartcard reader (and it works).
Looks like you have not configured X509 private key certificate.
plain text document attachment (wpa_supplicant.conf)
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
fast_reauth=1
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/lib/opensc-pkcs11.so
network={
ssid=*
key_mgmt=WPA-EAP
eap=TLS
proto=WPA
pairwise=TKIP
group=TKIP
identity=[EMAIL PROTECTED]
ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt
#client_cert=/etc/cert/user.pem
I'm not sure but this maybe the place to configure certificate.
You should have your private key certificate. This certificate may be
located in plain file. To check that your certificate certifies proper
private key you may do something like that (test example):
That's the point : I have the private key certificate stored in the
smartcard, not located in a plain file. That's why I commented the line
above.
$ openssl rsa -engine chil -in rsa-test2 -inform engine -modulus -noout
engine chil set.
Modulus=D14731D19EF32A3D458EE61B219A0E019...
$ openssl x509 -in rsa-test2-crt.pem -modulus -noout
Modulus=D14731D19EF32A3D458EE61B219A0E019
and you should get the same numbers.
I've tried in all ways to try this with the pkcs11 module to use my
smartcard to do the test but I didn't reach. Maybe the structure is
different when not operating with files.
Best regards,
Thank you for your effort!
--
..
__
/ / Carles Fernàndez
C E / S / C A Dept. de Comunicacions
/_/Centre de Supercomputació de Catalunya
Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona
T. 93 205 6464 · F. 93 205 6979 · [EMAIL PROTECTED]
..
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
openssl error while retreaving key from smartcard from wpa_supplicant?
Hi
I'm currently trying to authenticate using EAP-TLS using smartcard with
wpa_supplicant and I get this error:
OpenSSL: tls_connection_engine_private_key - Private key failed
verification error:140A30B1:SSL routines:SSL_check_private_key:no
certificate assigned
I got some messages Error: can't open /var/run/openct/status: No such
file or directory but I get these messages always when I use my
smartcard reader (and it works).
I've googled and i got nothing useful. Any idea?
ps: I've ***ed personal data from attached files
thanks,
Carles
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
fast_reauth=1
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/lib/opensc-pkcs11.so
network={
ssid=*
key_mgmt=WPA-EAP
eap=TLS
proto=WPA
pairwise=TKIP
group=TKIP
identity=[EMAIL PROTECTED]
ca_cert=/etc/wpa_supplicant/CA_CATCertPP_GlobalTrust.crt
#client_cert=/etc/cert/user.pem
# scan_ssid=1
engine=1
# The engine configured here must be available. Look at
# OpenSSL engine support in the global section.
# The key available through the engine must be the private key
# matching the client certificate configured above.
# use the opensc engine
#engine_id=opensc
#key_id=45
# use the pkcs11 engine
engine_id=pkcs11
key_id=e451d1d1197caf4c74c33d9143986a28c9c34a55
# Optional PIN configuration; this can be left out and PIN will be
# asked through the control interface
pin=
}
[EMAIL PROTECTED]:~$ sudo wpa_supplicant -D wext -i eth1 -c
/etc/wpa_supplicant/wpa_supplicant.conf -ddd
Initializing interface 'eth1' conf '/etc/wpa_supplicant/wpa_supplicant.conf'
driver 'wext' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -
'/etc/wpa_supplicant/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='0' (DEPRECATED)
eapol_version=1
fast_reauth=1
pkcs11_engine_path='/usr/lib/engines/engine_pkcs11.so'
pkcs11_module_path='/usr/lib/opensc-pkcs11.so'
Line: 17 - start of a new network block
ssid - hexdump_ascii(len=7):
** ** ** ** ** *
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00
proto: 0x1
pairwise: 0x8
group: 0x8
identity - hexdump_ascii(len=40):
** ** ** ** ** *** ** ** ***
ca_cert - hexdump_ascii(len=48):
2f 65 74 63 2f 77 70 61 5f 73 75 70 70 6c 69 63 /etc/wpa_supplic
61 6e 74 2f 43 41 5f 43 41 54 43 65 72 74 50 50 ant/CA_CATCertPP
5f 47 6c 6f 62 61 6c 54 72 75 73 74 2e 63 72 74 _GlobalTrust.crt
engine=1 (0x1)
engine_id - hexdump_ascii(len=6):
70 6b 63 73 31 31 pkcs11
key_id - hexdump_ascii(len=40):
65 34 35 31 64 31 64 31 31 39 37 63 61 66 34 63 e451d1d1197caf4c
37 34 63 33 33 64 39 31 34 33 39 38 36 61 32 38 74c33d9143986a28
63 39 63 33 34 61 35 35 c9c34a55
pin - hexdump_ascii(len=4): [REMOVED]
Priority group 0
id=0 ssid='***'
Initializing interface (2) 'eth1'
ENGINE: Loading dynamic engine
ENGINE: Loading pkcs11 Engine from /usr/lib/engines/engine_pkcs11.so
ENGINE: 'SO_PATH' '/usr/lib/engines/engine_pkcs11.so'
ENGINE: 'ID' 'pkcs11'
ENGINE: 'LIST_ADD' '1'
ENGINE: 'LOAD' '(null)'
ENGINE: 'MODULE_PATH' '/usr/lib/opensc-pkcs11.so'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
SIOCGIWRANGE: WE(compiled)=21 WE(source)=16 enc_capa=0xf
capabilities: key_mgmt 0xf enc 0xf
WEXT: Operstate: linkmode=1, operstate=5
Own MAC address: 00:13:02:61:79:24
wpa_driver_wext_set_wpa
wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_countermeasures
wpa_driver_wext_set_drop_unencrypted
Setting scan request: 0 sec 10 usec
ctrl_interface_group=0
Added interface eth1
RTM_NEWLINK: operstate=0 ifi_flags=0x1002 ()
Wireless event: cmd=0x8b06 len=8
RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added
RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added
State: DISCONNECTED - SCANNING
Starting AP scan (broadcast SSID)
Trying to get current scan results first without requesting a new scan to speed
up initial association
Received 1539 bytes of scan results (7 BSSes)
Scan results: 7
Selecting BSS from priority group 0
0:
