Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hint for OpenSSL ENGINE / PKCS#11 #3692

Closed
opensignature opened this issue Mar 20, 2019 · 2 comments
Closed

Hint for OpenSSL ENGINE / PKCS#11 #3692

opensignature opened this issue Mar 20, 2019 · 2 comments

Comments

@opensignature
Copy link

@opensignature opensignature commented Mar 20, 2019

I'm writing a new PKCS#11 engine for OpenSSL ( openssl/openssl#8200 ).
Testing with curl I saw that:
curl -E 'pkcs11:object=test' --key 'pkcs11:object=test;pin-value=secret' https://www.saela.eu/auth/index.php
works properly (this is result):

[SSL_CLIENT_VERIFY] = ... self signed certificate
[SSL_CLIENT_SERIAL] = 1EA53B35D50CF1CD1E4A42492518DA318D606A96
[SSL_CLIENT_I_DN] = CN = TEST
[SSL_CLIENT_FINGERPRINT] = 2c0c5a44fa3a9c1e0c5d49fd1a53de75d66c51b0

but with just
curl -E 'pkcs11:object=test; pin-value=secret'
I have
curl: (58) unable to set private key file: 'pkcs11:object=test;pin-value=secret' type PEM
I would like to suggest to insert at https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L842 these lines:

if (!key_type && do_file_type(cert_type) == SSL_FILETYPE_ENGINE)  {
    file_type = SSL_FILETYPE_ENGINE;
    key_file = cert_file;
}

Best regards,
Antonio

@jay
Copy link
Member

@jay jay commented Mar 20, 2019

Possibly related to #974?

/cc @dwmw2

@dwmw2
Copy link
Contributor

@dwmw2 dwmw2 commented Mar 20, 2019

I'd do it like this:

--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -838,15 +838,15 @@ int cert_stuff(struct connectdata *conn,
       return 0;
     }
 
-    file_type = do_file_type(key_type);
+    if(!key_file)
+      key_file = cert_file;
+    else
+      file_type = do_file_type(key_type);
 
     switch(file_type) {
     case SSL_FILETYPE_PEM:
       if(cert_done)
         break;
-      if(!key_file)
-        /* cert & key can only be in PEM case in the same file */
-        key_file = cert_file;
       /* FALLTHROUGH */
     case SSL_FILETYPE_ASN1:
       if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {

That works here for both PKCS#11 and file certs.

@dwmw2 dwmw2 closed this in #3693 Mar 20, 2019
dwmw2 added a commit that referenced this issue Mar 20, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jun 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants
You can’t perform that action at this time.