Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hint for OpenSSL ENGINE / PKCS#11 #3692

Closed
opensignature opened this issue Mar 20, 2019 · 2 comments · Fixed by #3693
Closed

Hint for OpenSSL ENGINE / PKCS#11 #3692

opensignature opened this issue Mar 20, 2019 · 2 comments · Fixed by #3693
Labels
cmdline tool TLS

Comments

@opensignature
Copy link
Contributor

@opensignature opensignature commented Mar 20, 2019

I'm writing a new PKCS#11 engine for OpenSSL ( openssl/openssl#8200 ).
Testing with curl I saw that:
curl -E 'pkcs11:object=test' --key 'pkcs11:object=test;pin-value=secret' https://www.saela.eu/auth/index.php
works properly (this is result):

[SSL_CLIENT_VERIFY] = ... self signed certificate
[SSL_CLIENT_SERIAL] = 1EA53B35D50CF1CD1E4A42492518DA318D606A96
[SSL_CLIENT_I_DN] = CN = TEST
[SSL_CLIENT_FINGERPRINT] = 2c0c5a44fa3a9c1e0c5d49fd1a53de75d66c51b0

but with just
curl -E 'pkcs11:object=test; pin-value=secret'
I have
curl: (58) unable to set private key file: 'pkcs11:object=test;pin-value=secret' type PEM
I would like to suggest to insert at https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L842 these lines:

if (!key_type && do_file_type(cert_type) == SSL_FILETYPE_ENGINE)  {
    file_type = SSL_FILETYPE_ENGINE;
    key_file = cert_file;
}

Best regards,
Antonio
@jay
Copy link
Member

@jay jay commented Mar 20, 2019

Possibly related to #974?

/cc @dwmw2

@dwmw2
Copy link
Contributor

@dwmw2 dwmw2 commented Mar 20, 2019

I'd do it like this:

--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -838,15 +838,15 @@ int cert_stuff(struct connectdata *conn,
       return 0;
     }
 
-    file_type = do_file_type(key_type);
+    if(!key_file)
+      key_file = cert_file;
+    else
+      file_type = do_file_type(key_type);
 
     switch(file_type) {
     case SSL_FILETYPE_PEM:
       if(cert_done)
         break;
-      if(!key_file)
-        /* cert & key can only be in PEM case in the same file */
-        key_file = cert_file;
       /* FALLTHROUGH */
     case SSL_FILETYPE_ASN1:
       if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {

That works here for both PKCS#11 and file certs.

This was referenced Mar 20, 2019
Closed
Merged
dwmw2 added a commit that referenced this issue Mar 20, 2019
@dwmw2
openssl: if cert type is ENG and no key specified, key is ENG too
efd9fba 
Fixes #3692
Closes #3692
@lock lock bot locked as resolved and limited conversation to collaborators Jun 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
cmdline tool TLS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl: if cert type is ENG and no key specified, key is ENG too dwmw2/curl
3 participants
@dwmw2 @jay @opensignature