OpenSSL Engine Public Key Support - Ask #554

matsujirushi · 2021-08-20T01:51:42Z

matsujirushi
Aug 20, 2021

Using ATECC608A-TNGTLS certificate in iothub_ll_client_x509_sample causes an error.

Creating IoTHub handle
Sending message 1 to IoTHub
Error: Time:Fri Aug 20 10:31:12 2021 File:/home/pi/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:31 Failure PEM_read_bio_X509_AUX
Error: Time:Fri Aug 20 10:31:13 2021 File:/home/pi/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:38   [0] error:0909006C:PEM routines:get_name:no start line

azure-c-shared-utility/adapters/x509_openssl.c

Line 57 in e4d74dc

if ((x509_value = PEM_read_bio_X509_AUX(bio_cert, NULL, NULL, NULL)) == NULL)

However, I can get the certificate chain using p11tool.

pi@raspberrypi:~/azure-iot-sdk-c $ p11tool --export-chain "pkcs11:token=MCHP;object=device;type=cert"
-----BEGIN CERTIFICATE-----
MIICHzCCAcWgAwIBAgIQWUFZXG4yTNVVbQhSXkAUHTAKBggqhkjOPQQDAjBPMSEw
HwYDVQQKDBhNaWNyb2NoaXAgVGVjaG5vbG9neSBJbmMxKjAoBgNVBAMMIUNyeXB0
byBBdXRoZW50aWNhdGlvbiBTaWduZXIgMjcwMDAgFw0yMTA4MTEwMTAwMDBaGA8y
MDQ5MDgxMTAxMDAwMFowQjEhMB8GA1UECgwYTWljcm9jaGlwIFRlY2hub2xvZ3kg
SW5jMR0wGwYDVQQDDBRzbjAxMjNGMkJDNTc4RjkxRTMwMTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABGY3mKy7exXor2VDuyivgKqcLV4Jx/pjFk3S36csTaDdUf8m
0vwFo2KeO5fscXSq0q9lPcbPeZBd5Gz8WgqR99ejgY0wgYowKgYDVR0RBCMwIaQf
MB0xGzAZBgNVBAUTEmV1aTQ4XzY4MjcxOTRDNEE4NTAMBgNVHRMBAf8EAjAAMA4G
A1UdDwEB/wQEAwIDiDAdBgNVHQ4EFgQUqvpdC1/SCYDHDpdXr/p2J/CJTzUwHwYD
VR0jBBgwFoAU4Ba5Jh9kfa1JOClbSjYs9U6NeYowCgYIKoZIzj0EAwIDSAAwRQIh
ANB9IxHZU7TcwkY2hKRMGvkz2urdCAz19CX767A7DcvrAiAfjBoDUpTOAnFlYuix
qTu0A7Ejpvt5T9Ob92G5/b8pLQ==
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
MIICBDCCAaqgAwIBAgIQaRmQfYZP9wxeFcpCw+W6TDAKBggqhkjOPQQDAjBPMSEw
HwYDVQQKDBhNaWNyb2NoaXAgVGVjaG5vbG9neSBJbmMxKjAoBgNVBAMMIUNyeXB0
byBBdXRoZW50aWNhdGlvbiBSb290IENBIDAwMjAgFw0xODEyMTQyMDAwMDBaGA8y
MDQ5MTIxNDIwMDAwMFowTzEhMB8GA1UECgwYTWljcm9jaGlwIFRlY2hub2xvZ3kg
SW5jMSowKAYDVQQDDCFDcnlwdG8gQXV0aGVudGljYXRpb24gU2lnbmVyIDI3MDAw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAROEUiP60JV4/IF55RFx0nUqiTy0YXY
U671v4Kzzz15MWL8MigXOPf1V0MkXTceV+6jGu2JdN8QpGWGgZdBZl3Oo2YwZDAO
BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU4Ba5
Jh9kfa1JOClbSjYs9U6NeYowHwYDVR0jBBgwFoAUeu19bca3eJ2yOAGl6EqMsKQO
KowwCgYIKoZIzj0EAwIDSAAwRQIhALJmp1YuPyKllkQm9WDfoHz1OtIIpziSUgPg
cxSC9IyzAiAkB8/2EQ15+2I2un1DkvRF9U4au2vAf0BKI8bO9yT0AQ==
-----END CERTIFICATE-----


pi@raspberrypi:~/azure-iot-sdk-c $

I don't know how to find out.
Could you give me some advice?

matsujirushi · 2021-08-27T02:00:20Z

matsujirushi
Aug 27, 2021
Author

I wrote the x509certificate variable:

static const char* x509certificate = "pkcs11:token=MCHP;object=device;type=cert";

0 replies

danewalton · 2021-09-02T15:57:37Z

danewalton
Sep 2, 2021
Maintainer

Hi @matsujirushi thanks for the message.

Are you able to use this to help guide you using PKCS11?

Copied here is the relevant section:

// Example using PKCS#11 OpenSSL ENGINE (https://github.com/OpenSC/libp11)
// The OpenSSL ENGINE must be associated to a pkcs11 module within openssl.cnf.
static const char* opensslEngine = "pkcs11";
static const OPTION_OPENSSL_KEY_TYPE x509_key_from_engine = KEY_TYPE_ENGINE;

// Certificate can be extracted from the PKCS#11 library using pkcs11-tool from OpenSC.
static const char* x509certificate = 
"-----BEGIN CERTIFICATE-----\n"
"MIIBMTCB1wIUTu66kxJIBR5t5IkAwh7Lqm/AM+IwCgYIKoZIzj0EAwIwGzEZMBcG\n"
// [...]
"DItkq1MHqzqExB1eTrMHQVY11w62\n"
"-----END CERTIFICATE-----\n";

// The private key contains the PKCS#11 URI.
static const char* x509privatekey = "pkcs11:object=ec-privkey;type=private?pin-value=1234";

0 replies

matsujirushi · 2021-09-03T02:57:54Z

matsujirushi
Sep 3, 2021
Author

Hi @danewalton ,
Thank you for reply.

It working my environment when x509privatekey use pkcs11 and x509certificate is hard-code (NOT use pkcs11).
I want to use the certificate in the ATECC608A-TNGTLS, so I made the following changes. Then an error occurred.

static const char* x509certificate = "pkcs11:token=MCHP;object=device;type=cert";

0 replies

danewalton · 2021-09-03T20:54:35Z

danewalton
Sep 3, 2021
Maintainer

Yes right now we only have support for loading the private key from an engine. Here is the call to make that happen:

azure-c-shared-utility/adapters/x509_openssl.c

Line 241 in 64ea7a9

    
           EVP_PKEY* evp_key = ENGINE_load_private_key(engine, x509privatekey_id, NULL, NULL);

The equivalent call to ENGINE_load_public_key() is not in our code base and therefore the loading comes from

azure-c-shared-utility/adapters/x509_openssl.c

Line 311 in 64ea7a9

if (load_certificate_chain(ssl_ctx, x509certificate) != 0)

TLDR: we don't support that right now. I will move this to a discussion as a feature ask though.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenSSL Engine Public Key Support - Ask #554

{{title}}

Replies: 4 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

OpenSSL Engine Public Key Support - Ask #554

matsujirushi Aug 20, 2021

Replies: 4 comments

matsujirushi Aug 27, 2021 Author

danewalton Sep 2, 2021 Maintainer

matsujirushi Sep 3, 2021 Author

danewalton Sep 3, 2021 Maintainer

matsujirushi
Aug 20, 2021

matsujirushi
Aug 27, 2021
Author

danewalton
Sep 2, 2021
Maintainer

matsujirushi
Sep 3, 2021
Author

danewalton
Sep 3, 2021
Maintainer