Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hint for OpenSSL ENGINE / PKCS#11 #3692

opensignature opened this issue Mar 20, 2019 · 2 comments


None yet
3 participants
Copy link

commented Mar 20, 2019

I'm writing a new PKCS#11 engine for OpenSSL ( openssl/openssl#8200 ).
Testing with curl I saw that:
curl -E 'pkcs11:object=test' --key 'pkcs11:object=test;pin-value=secret'
works properly (this is result):

[SSL_CLIENT_VERIFY] = ... self signed certificate
[SSL_CLIENT_SERIAL] = 1EA53B35D50CF1CD1E4A42492518DA318D606A96
[SSL_CLIENT_FINGERPRINT] = 2c0c5a44fa3a9c1e0c5d49fd1a53de75d66c51b0

but with just
curl -E 'pkcs11:object=test; pin-value=secret'
I have
curl: (58) unable to set private key file: 'pkcs11:object=test;pin-value=secret' type PEM
I would like to suggest to insert at these lines:

if (!key_type && do_file_type(cert_type) == SSL_FILETYPE_ENGINE)  {
    file_type = SSL_FILETYPE_ENGINE;
    key_file = cert_file;

Best regards,


This comment has been minimized.

Copy link

commented Mar 20, 2019

Possibly related to #974?

/cc @dwmw2


This comment has been minimized.

Copy link

commented Mar 20, 2019

I'd do it like this:

--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -838,15 +838,15 @@ int cert_stuff(struct connectdata *conn,
       return 0;
-    file_type = do_file_type(key_type);
+    if(!key_file)
+      key_file = cert_file;
+    else
+      file_type = do_file_type(key_type);
     switch(file_type) {
-      if(!key_file)
-        /* cert & key can only be in PEM case in the same file */
-        key_file = cert_file;
       /* FALLTHROUGH */
     case SSL_FILETYPE_ASN1:
       if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {

That works here for both PKCS#11 and file certs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.