Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hint for OpenSSL ENGINE / PKCS#11 #3692

opensignature opened this issue Mar 20, 2019 · 2 comments · Fixed by #3693

Hint for OpenSSL ENGINE / PKCS#11 #3692

opensignature opened this issue Mar 20, 2019 · 2 comments · Fixed by #3693


Copy link

@opensignature opensignature commented Mar 20, 2019

I'm writing a new PKCS#11 engine for OpenSSL ( openssl/openssl#8200 ).
Testing with curl I saw that:
curl -E 'pkcs11:object=test' --key 'pkcs11:object=test;pin-value=secret'
works properly (this is result):

[SSL_CLIENT_VERIFY] = ... self signed certificate
[SSL_CLIENT_SERIAL] = 1EA53B35D50CF1CD1E4A42492518DA318D606A96
[SSL_CLIENT_FINGERPRINT] = 2c0c5a44fa3a9c1e0c5d49fd1a53de75d66c51b0

but with just
curl -E 'pkcs11:object=test; pin-value=secret'
I have
curl: (58) unable to set private key file: 'pkcs11:object=test;pin-value=secret' type PEM
I would like to suggest to insert at these lines:

if (!key_type && do_file_type(cert_type) == SSL_FILETYPE_ENGINE)  {
    file_type = SSL_FILETYPE_ENGINE;
    key_file = cert_file;

Best regards,

Copy link

@jay jay commented Mar 20, 2019

Possibly related to #974?

/cc @dwmw2

Copy link

@dwmw2 dwmw2 commented Mar 20, 2019

I'd do it like this:

--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -838,15 +838,15 @@ int cert_stuff(struct connectdata *conn,
       return 0;
-    file_type = do_file_type(key_type);
+    if(!key_file)
+      key_file = cert_file;
+    else
+      file_type = do_file_type(key_type);
     switch(file_type) {
-      if(!key_file)
-        /* cert & key can only be in PEM case in the same file */
-        key_file = cert_file;
       /* FALLTHROUGH */
     case SSL_FILETYPE_ASN1:
       if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {

That works here for both PKCS#11 and file certs.

@dwmw2 dwmw2 closed this in #3693 Mar 20, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jun 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants