pkcs11 private key from openssl-engine in hostapd EAP-TLS
tom schuring
tomschuring at gmail.com
Sat Sep 26 09:11:03 EDT 2020
Hi,
after making some changes i have been able to load a private key via the
openssl pkcs11 engine.
It's weird but it looks like hostapd doesn't pickup the settings from my
openssl.conf even if i start it using
OPENSSL_CONFIG=/usr/ssl/openssl-pkcs11.conf hostapd /etc/hostapd.conf
so i ended up writing some hard coded paths like ( in tls_openssl.c ) :
// new function :
static int tls_global_use_private_key_via_engine(SSL_CTX *ssl_ctx, const
char* tls_keyfile)
{
if( !tls_keyfile)
{
wpa_printf(MSG_INFO,"no tls_keyfile");
return 1;
}
wpa_printf(MSG_INFO,"tls_global_use_private_key_via_engine
tls_keyfile: '%s'", tls_keyfile);
#ifndef OPENSSL_NO_ENGINE
wpa_printf(MSG_INFO,">> 11");
if( strncmp("pkcs11:", tls_keyfile, strlen("pkcs11:")) == 0)
{
wpa_printf(MSG_INFO,">> 22");
wpa_printf(MSG_INFO,"tls_global_use_private_key_via_engine tls_keyfile
'%s' ", tls_keyfile);
ENGINE *engine;
wpa_printf(MSG_INFO,"TS> loading config file '%s' ",
"/etc/ssl/openssl-pkcs11.cnf");
tls_engine_load_dynamic_pkcs11("/usr/lib/engines/pkcs11.so",
"/usr/lib/libcryptoauth.so" );
wpa_printf(MSG_INFO, "loading engine 1 '%s'", "pkcs11");
engine = ENGINE_by_id("pkcs11");
if(engine != NULL)
{
int ret;
ret = 0;
wpa_printf(MSG_INFO, "loadied pkcs11 engine");
ENGINE_ctrl_cmd_string(engine, "MODULE_PATH",
"/usr/lib/libcryptoauth.so", 0);
if(!ENGINE_init(engine))
{
wpa_printf(MSG_ERROR, "Failed engine initialisation -
%s",ERR_reason_error_string(ERR_get_error()));
ENGINE_free(engine);
return 1;
}
//ENGINE_set_default(engine, ENGINE_METHOD_ALL);
EVP_PKEY* key = ENGINE_load_private_key(engine,
tls_keyfile, NULL, NULL);
if( key)
{
wpa_printf(MSG_INFO, "found private key ");
ret = SSL_CTX_use_PrivateKey(ssl_ctx , key);
wpa_printf(MSG_INFO, "using private key in context. ");
}
else
{
wpa_printf(MSG_INFO, "no private key ");
}
//ENGINE_free(engine);
wpa_printf(MSG_INFO, "loaded pkcs11 key ");
return ret;
}
else
wpa_printf(MSG_INFO, "ENGINE_by_id( \"pkcs11\") no
result %s", ERR_reason_error_string(ERR_get_error()) );
}
wpa_printf(MSG_INFO,">> 33");
#else
wpa_printf(MSG_INFO,">> WTF");
#endif
return 1;
}
and then calling the new function in :
staticinttls_global_private_key(structtls_data *data,
constchar*private_key,
constchar*private_key_passwd)
{
SSL_CTX *ssl_ctx = data->ssl;
if(private_key == NULL)
return0;
if( tls_global_use_private_key_via_engine(ssl_ctx, private_key))
{
wpa_printf(MSG_INFO, __func__," loaded ---- private key: '%s'
",private_key);
}
elseif(tls_use_private_key_file(data, NULL, private_key,
private_key_passwd) &&
tls_read_pkcs12(data, NULL, private_key, private_key_passwd))
{
tls_show_errors(MSG_INFO, __func__, "Failed to load private key");
ERR_clear_error();
return-1;
}
ERR_clear_error();
if(!SSL_CTX_check_private_key(ssl_ctx)) {
tls_show_errors(MSG_INFO, __func__, "Private key failed
verification");
return-1;
}
return0;
}
it works, but you can see it has some problems.
a few questions:
-are pkcs11 engine private keys already supposed to be supported, or
should i try to clean it up and see if it can be added to the project ?
- is it expected that the OPENSSL_CONFIG doesn't get used to load the
engine and module ?
More information about the Hostap
mailing list