Skip to content

Hint for OpenSSL ENGINE / PKCS#11 #3692

New issue
New issue
Closed
#3693
Closed
Hint for OpenSSL ENGINE / PKCS#11#3692
#3693
Labels
TLScmdline tool
@opensignature

Description

@opensignature
opensignature
opened on Mar 20, 2019

I'm writing a new PKCS#11 engine for OpenSSL ( openssl/openssl#8200 ).
Testing with curl I saw that:
curl -E 'pkcs11:object=test' --key 'pkcs11:object=test;pin-value=secret' https://www.saela.eu/auth/index.php
works properly (this is result):

[SSL_CLIENT_VERIFY] = ... self signed certificate
[SSL_CLIENT_SERIAL] = 1EA53B35D50CF1CD1E4A42492518DA318D606A96
[SSL_CLIENT_I_DN] = CN = TEST
[SSL_CLIENT_FINGERPRINT] = 2c0c5a44fa3a9c1e0c5d49fd1a53de75d66c51b0

but with just
curl -E 'pkcs11:object=test; pin-value=secret'
I have
curl: (58) unable to set private key file: 'pkcs11:object=test;pin-value=secret' type PEM
I would like to suggest to insert at https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L842 these lines:

if (!key_type && do_file_type(cert_type) == SSL_FILETYPE_ENGINE)  {
    file_type = SSL_FILETYPE_ENGINE;
    key_file = cert_file;
}

Best regards,
Antonio

Activity

jay

jay commented on Mar 20, 2019

@jay
jay
on Mar 20, 2019
Member

Possibly related to #974?

/cc @dwmw2

jay
added
TLS
cmdline tool
on Mar 20, 2019
dwmw2

dwmw2 commented on Mar 20, 2019

@dwmw2
dwmw2
on Mar 20, 2019
Contributor

I'd do it like this:

--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -838,15 +838,15 @@ int cert_stuff(struct connectdata *conn,
       return 0;
     }
 
-    file_type = do_file_type(key_type);
+    if(!key_file)
+      key_file = cert_file;
+    else
+      file_type = do_file_type(key_type);
 
     switch(file_type) {
     case SSL_FILETYPE_PEM:
       if(cert_done)
         break;
-      if(!key_file)
-        /* cert & key can only be in PEM case in the same file */
-        key_file = cert_file;
       /* FALLTHROUGH */
     case SSL_FILETYPE_ASN1:
       if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {

That works here for both PKCS#11 and file certs.

dwmw2
mentioned this in 2 pull requests on Mar 20, 2019
dwmw2
closed this as completedin #3693on Mar 20, 2019
dwmw2
added a commit that references this issue on Mar 20, 2019

openssl: if cert type is ENG and no key specified, key is ENG too

efd9fba
lock
locked as resolved and limited conversation to collaborators on Jun 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    TLScmdline tool

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @dwmw2@jay@opensignature

      Issue actions
        Hint for OpenSSL ENGINE / PKCS#11 · Issue #3692 · curl/curl