Re: [openssl-users] Problems on authentication during TLS handshake
Agreed. I use this as my engine sample and rewrite it to support OpenSSL 1.1 since this repo only works in OpenSSL 1.0.2. This takes a long time. Moreover very appreciated the support from everyone and Viktor, it's *important *to use public key in SSL_CTX_use_PrivateKey(). Now my engine is working during handshake and all encrypt processes and server is able to recognize my client. I would give some follow up in this thread if I have more results. Thanks, Jim On Tue, Jan 8, 2019 at 3:37 PM Antonio Iacono wrote: > Il giorno mar 8 gen 2019 alle ore 19:32 Jin Xie > ha scritto: > >> Thank you! I would have a try. >> >> > Look here: https://github.com/MicrochipTech/cryptoauth-openssl-engine > > Antonio > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Problems on authentication during TLS handshake
Thank you! I would have a try. On Tue, Jan 8, 2019 at 1:10 AM Viktor Dukhovni wrote: > On Tue, Jan 08, 2019 at 12:38:32AM -0800, Jin Xie wrote: > > > As for “in which case it will use the public key as a stand-in for the > > missing private key”, do you mean use “client cert public key” instead of > > “client cert private key”? If so is it possible that I pass “client cert > > public key” in “SSL_CTX_use_PrivateKey_file”? (I’m running on 1.1 : ) > > With engines, you have to use ENGINE_load_private_key(), and then > SSL_CTX_use_PrivateKey(). > > See the code in apps/s_client.c and load_key() in apps/apps.c. > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Problems on authentication during TLS handshake
Hi Viktor, Thanks for your replay! Sorry for my wrong format and I would use plaint-text in the future. As for “in which case it will use the public key as a stand-in for the missing private key”, do you mean use “client cert public key” instead of “client cert private key”? If so is it possible that I pass “client cert public key” in “SSL_CTX_use_PrivateKey_file”? (I’m running on 1.1 : ) Thanks, Jim From: Viktor Dukhovni Sent: Tuesday, January 8, 2019 12:05 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] Problems on authentication during TLS handshake On Mon, Jan 07, 2019 at 11:43:47PM -0800, Jin Xie wrote: [ Going forward, please try to post plain-text with regular spaces, rather than Unicode non-breaking spaces. ] >// load client-side cert and key, signed by intermediate cert >SSL_CTX_use_certificate_file(m_ctx, ClientCertificateFileTest, > SSL_FILETYPE_PEM); > >// no need anymore because no way to extract private key >// SSL_CTX_use_PrivateKey_file(m_ctx, ClientPrivateKeyFileTest, > SSL_FILETYPE_PEM); Your problem is here, you can't skip loading some form of private key handle. OpenSSL 1.1.1 provides an SSL_CTX_use_cert_and_key() function, which allows the private key to passed as NULL, in which case it will use the public key as a stand-in for the missing private key. All the relevant functions are in ssl/ssl_rsa.c, if you are willing to read the source code to find the most suitable interface. If you're using 1.1.0 or 1.0.2 there is probably another way, but I don't know it off-hand. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Problems on authentication during TLS handshake
Hello everyone,
I’m new at OpenSSL programming and encountered a problem while build TLS
connection. I’m working on a crypto chip ATECC508A. So the client private key
is stored in the chip and no way to get it out. However during standard TLS
handshake, I need to provide client private key by “SSL_CTX_use_private_key()”
if server needs to identify the client. Because the server will give a
“challenge” to client and client needs to encrypt it by client private key.
Then the server will decode it by client public key and check if they match.
For your reference:
https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake
I have written my sample client and server code. Everything works fine if I use
my own test certificates: selft-signed CA and client cert signed by CA (this
means I have the test client cert private key so that I could use
SSL_CTX_use_private_key() to import it).
The problem is here, in ATECC508A, I’m not able to provide private key directly
but have API to sign any digests. So I wonder are there any ways to do some
“modification” during handshake? I have tried following two ways:
1. Using OpenSSL Engine. I see that we could set our own algorithms inside
engine to overwrite original methods. I think signing “challenge” is at
EC_KEY_METHOD. So I write an EC_KEY_METHOD engine and load it successful.
Besides I print “enter” and “leave” at the beginning and end of every function
in EC_KEY_METHOD. When I do some tests using “ECDSA_sign”, I could see “enter”
and “leave” printed from my sign_sig and sign function. However if I run TLS
connection, nothing printed (except engine initialization log) and
authentication failed (obviously). Those means my own sign and verify functions
hasn’t been called.
2. Set callback in SSL or SLL_ctx? I have checked the source code of these two
structures but not sure how to do that.
Those are what I tried and of course failed every try. :( So could anyone point
me what should I do? Maybe I used wrong engine, missed some important callback
or others?
Best Regards,
Jim
=
I post my client test code for your reference:
#include
#include
#include "openssl/eccx08_engine.h"
#include "openssl/eccx08_engine_internal.h"
int main()
{
static ENGINE *ateccx08_engine;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
PRINTF("ENGINE_load_dynamic");
ENGINE_load_dynamic();
printf("CONF_modules_load_file");
if (!CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION))
{
printf("Config failed to load");
}
printf("ENGINE_by_id");
ateccx08_engine = ENGINE_by_id("ateccx08");
if (ateccx08_engine == NULL)
{
printf("Engine failed to load");
}
// after some initialization
// load client-side cert and key, signed by intermediate cert
SSL_CTX_use_certificate_file(m_ctx, ClientCertificateFileTest,
SSL_FILETYPE_PEM);
// no need anymore because no way to extract private key
// SSL_CTX_use_PrivateKey_file(m_ctx, ClientPrivateKeyFileTest,
SSL_FILETYPE_PEM);
// load intermediate cert, signed by CA
X509* chaincert = X509_new();
BIO* bio_cert = BIO_new_file(SignerCertificateFileTest, "rb");
PEM_read_bio_X509(bio_cert, , NULL, NULL);
SSL_CTX_add1_chain_cert(m_ctx, chaincert)
m_ssl = SSL_new(m_ctx);
// get_seocket is my own API
m_sock = get_socket();
SSL_set_fd(m_ssl, m_sock)
// doing handshake and build connection, however no output from ECDSA sign
algorithm
auto r = SSL_connect(m_ssl);
}
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
