Openssl pkcs11-engine using s_client with PIV card

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl pkcs11-engine using s_client with PIV card

Matthew Zimmerman
I'm trying to debug an SSL connection to a webserver utilizing my PIV
Authentication Certificate and the associated private key on my card
and I believe I've found a bug in mechanism.c

I *think* I'm doing everything correctly, although documentation on
the engine in openssl are *very* sparse.  Here's how I'm setting up
the connection.

openssl
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE
s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -cert
pivauth.crt -certform PEM -key 1:01 -keyform engine -prexit

According to the opensc tools, my card is in slot 1 and my key is id
01.  I'm fairly certain I'm using the -key and -keyform parameters
correctly but I'm not sure of -cert and -certform.  Should I instead
be telling openssl how to pull the cert from my card instead of the
local file (which corresponds with the key?)  How do I do that?  (I've
tried a few ways.)

This will prompt me for my pin, but then segfaults on line 428 of
mechanism.c -- seemingly data is pointing to an address but has no
member buffer_len (this could be wrong, my c and gdb experience is
highly lacking)

Found slot:  Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
Found token: PIV_II (PIV Card Holder pin)
Found 4 certificates:
   1    Certificate for PIV Authentication
   2    Certificate for Digital Signature
   3    Certificate for Key Management
   4    Certificate for Card Authentication
PKCS#11 token PIN:
Found 4 keys:
   1 P  PIV AUTH key
   2 P  SIGN key
   3 P  KEY MAN key
   4 P  CARD AUTH key

Program received signal SIGSEGV, Segmentation fault.
0x00002aaaac155660 in sc_pkcs11_signature_final (operation=0x6cb7d0,
pSignature=0x7fffffffda30 "", pulSignatureLen=0x0) at mechanism.c:428
428  sc_log(context, "data length %li", data->buffer_len);
(gdb) print data
$1 = (struct signature_data *) 0x30
(gdb) print data->buffer_len
Cannot access memory at address 0x248
(gdb) backtrace
#0  0x00002aaaac155660 in sc_pkcs11_signature_final
(operation=0x6cb7d0, pSignature=0x7fffffffda30 "",
pulSignatureLen=0x0) at mechanism.c:428
#1  0x00002aaaab036e3d in look_str_cb () from /usr/lib/libcrypto.so.1.0.0
#2  0x00002aaaab04722c in lh_doall_arg () from /usr/lib/libcrypto.so.1.0.0
#3  0x00002aaaab03565c in engine_table_doall () from /usr/lib/libcrypto.so.1.0.0
#4  0x00002aaaab037203 in ENGINE_pkey_asn1_find_str () from
/usr/lib/libcrypto.so.1.0.0
#5  0x00002aaaab071fa3 in EVP_PKEY_asn1_find_str () from
/usr/lib/libcrypto.so.1.0.0
#6  0x00002aaaaad179d7 in ssl_create_cipher_list () from
/usr/lib/libssl.so.1.0.0
#7  0x00002aaaaad10964 in SSL_CTX_new () from /usr/lib/libssl.so.1.0.0
#8  0x000000000043d07e in ?? ()
#9  0x0000000000419587 in ?? ()
#10 0x000000000041927d in ?? ()
#11 0x00002aaaab363725 in __libc_start_main () from /usr/lib/libc.so.6
#12 0x000000000041934d in ?? ()
#13 0x00007fffffffe598 in ?? ()
#14 0x0000000000000000 in ?? ()

Thanks for any advice/patches/help :)
Matt
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Openssl pkcs11-engine using s_client with PIV card

Douglas E. Engert


On 12/20/2012 7:54 AM, Matthew Zimmerman wrote:

> I'm trying to debug an SSL connection to a webserver utilizing my PIV
> Authentication Certificate and the associated private key on my card
> and I believe I've found a bug in mechanism.c
>
> I *think* I'm doing everything correctly, although documentation on
> the engine in openssl are *very* sparse.  Here's how I'm setting up
> the connection.
>
> openssl
> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre
> ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
> MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE
> s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -cert
> pivauth.crt -certform PEM -key 1:01 -keyform engine -prexit
>
> According to the opensc tools, my card is in slot 1 and my key is id
> 01.  I'm fairly certain I'm using the -key and -keyform parameters
> correctly but I'm not sure of -cert and -certform.  Should I instead
> be telling openssl how to pull the cert from my card instead of the
> local file (which corresponds with the key?)  How do I do that?  (I've
> tried a few ways.)

The OpenSC engine can pull the cert from the card, but it looks like
the OpenSSL c_client does not support using an engine for the cert.
It calls load_cert. Look at the load_cert (vs the load_key) routines
in the OpenSSL src/apps/apps.c It does not recognize FORMAT_ENGINE.

So you have to get the cert off the card in a separate step:

   pkcs15-tool -r 01 > cert.01.pem


For the -key parameter, I have always used slot_1-id_01 for the auth cert.
I had not looked to see if 1:01 works too.

An examples:

openssl << EOT
engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:$OPENSC_PATH/opensc-pkcs11.so
dgst -engine pkcs11 -keyform engine -sign slot_1-id_02 -c -out /tmp/test.ec.sig.out  fake.ec.key/ec.msg.txt
EOT





>
> This will prompt me for my pin, but then segfaults on line 428 of
> mechanism.c -- seemingly data is pointing to an address but has no
> member buffer_len (this could be wrong, my c and gdb experience is
> highly lacking)
>
> Found slot:  Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
> Found token: PIV_II (PIV Card Holder pin)
> Found 4 certificates:
>     1    Certificate for PIV Authentication
>     2    Certificate for Digital Signature
>     3    Certificate for Key Management
>     4    Certificate for Card Authentication
> PKCS#11 token PIN:
> Found 4 keys:
>     1 P  PIV AUTH key
>     2 P  SIGN key
>     3 P  KEY MAN key
>     4 P  CARD AUTH key
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00002aaaac155660 in sc_pkcs11_signature_final (operation=0x6cb7d0,
> pSignature=0x7fffffffda30 "", pulSignatureLen=0x0) at mechanism.c:428
> 428  sc_log(context, "data length %li", data->buffer_len);
> (gdb) print data
> $1 = (struct signature_data *) 0x30
> (gdb) print data->buffer_len
> Cannot access memory at address 0x248
> (gdb) backtrace
> #0  0x00002aaaac155660 in sc_pkcs11_signature_final
> (operation=0x6cb7d0, pSignature=0x7fffffffda30 "",
> pulSignatureLen=0x0) at mechanism.c:428
> #1  0x00002aaaab036e3d in look_str_cb () from /usr/lib/libcrypto.so.1.0.0
> #2  0x00002aaaab04722c in lh_doall_arg () from /usr/lib/libcrypto.so.1.0.0
> #3  0x00002aaaab03565c in engine_table_doall () from /usr/lib/libcrypto.so.1.0.0
> #4  0x00002aaaab037203 in ENGINE_pkey_asn1_find_str () from
> /usr/lib/libcrypto.so.1.0.0
> #5  0x00002aaaab071fa3 in EVP_PKEY_asn1_find_str () from
> /usr/lib/libcrypto.so.1.0.0
> #6  0x00002aaaaad179d7 in ssl_create_cipher_list () from
> /usr/lib/libssl.so.1.0.0
> #7  0x00002aaaaad10964 in SSL_CTX_new () from /usr/lib/libssl.so.1.0.0
> #8  0x000000000043d07e in ?? ()
> #9  0x0000000000419587 in ?? ()
> #10 0x000000000041927d in ?? ()
> #11 0x00002aaaab363725 in __libc_start_main () from /usr/lib/libc.so.6
> #12 0x000000000041934d in ?? ()
> #13 0x00007fffffffe598 in ?? ()
> #14 0x0000000000000000 in ?? ()
>
> Thanks for any advice/patches/help :)
> Matt
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Openssl pkcs11-engine using s_client with PIV card

Matthew Zimmerman
Doug, thanks, I got it working now.  Turns out it was the -t I was
throwing to the openssl engine command... I don't know where I saw
that or what it even does, but if I don't use it there's no segfault
and the connection succeeds!  Now to figure out what's different in
the TLS/SSL libraries that both Chromium and Firefox fail...

engine -vvvv dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE

s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -state
-cert cert.01.pem -key 1:01 -keyform engine

On Thu, Dec 20, 2012 at 10:58 AM, Douglas E. Engert <[hidden email]> wrote:
> The OpenSC engine can pull the cert from the card, but it looks like
> the OpenSSL c_client does not support using an engine for the cert.
> It calls load_cert. Look at the load_cert (vs the load_key) routines
> in the OpenSSL src/apps/apps.c It does not recognize FORMAT_ENGINE.
Good to know as I kept thinking that it was where/how openssl was
getting the cert that was the issue.

> For the -key parameter, I have always used slot_1-id_01 for the auth cert.
> I had not looked to see if 1:01 works too.
I found that 1:01 works too!

Matt
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel