Ok i am trying to use this code:
TokenEngine::TokenEngine( const StringList & modulePaths )
{
ENGINE * tok = ENGINE_by_id( "pkcs11" );
if ( ! tok )
throw Exception( "token: unable to get engine" );
m_pEngine = tok;
const string modulePath( findFirstExisting( modulePaths ) );
if ( modulePath.empty() )
throw Exception( "token: unable to find module path" );
DEBUG( "token: ctor: module_path=" << QS( modulePath ) );
if ( 1 != ENGINE_ctrl_cmd_string( tok, "MODULE_PATH", modulePath.c_str(),
CMD_MANDATORY ) )
throw Exception( "token: setting module_path <= " + QS( modulePath ) );
DEBUG( "token: ctor: initializing " << m_pEngine );
if ( 1 != ENGINE_init( tok ) )
throw Exception( "token: unable to initialize" );
DEBUG( "token: ctor: done" );
}
which is from this site
https://github.com/tkil/openssl-pkcs11-samples/blob/master/OpenSSLWrappers.cpp
and the problem is that if i change modulePath value to a not existing file the
method is still returning 1 which i think it should not. Correct me if i'm
wrong.
BR
Piotr
________________________________
Od: Michael McKenney <[email protected]>
Wysłane: poniedziałek, 24 maja 2021 14:17
Do: Piotr Lobacz <[email protected]>; [email protected]
<[email protected]>
Temat: RE: CSR generation using pkcs11 token engine from C# code
Usually I reserve C# for Windows servers. I use PHP on Ubuntu other Linux
Distros. Most web servers that need OpenSSL are Linux. Glad you got it
working.
From: Piotr Lobacz <[email protected]>
Sent: Monday, May 24, 2021 8:10 AM
To: Michael McKenney <[email protected]>; [email protected]
Subject: ODP: CSR generation using pkcs11 token engine from C# code
Hi Michael,
thx for your quick reply. Unfortunately i can't use your script because i need
to use native code not bash implementation.
For the first question about loading token module i have found a solution on
github https://github.com/tkil/openssl-pkcs11-samples . This code is a C/C++
code but i can fairly port it to C#, and i was right about different load of
engine for pkcs11 engine. So this can be closed.
Another thing is to generate CSR with the usage of token and openssl. This will
be more complicated and i don't know yet how to do that.
BR
Piotr
________________________________
Od: Michael McKenney
<[email protected]<mailto:[email protected]>>
Wysłane: poniedziałek, 24 maja 2021 13:28
Do: Piotr Lobacz <[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>
<[email protected]<mailto:[email protected]>>
Temat: RE: CSR generation using pkcs11 token engine from C# code
I wrote this script years ago when I switched to Godaddy 10 site certificates.
I don't use it from C# You could easily put it into C# or PHP. < >
would be variables at the top. I have it filled in so I just modify the
alt_names. I just cut and paste the all of it into Ubuntu and run it in the
directory /etc/apache2/ssl. If you don't need all 10, you can delete the
extra ones in alt_names.
openssl req -new -sha256 -nodes -out \<crs_name.csr> -newkey rsa:2048 -keyout
\<your key name.key> -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C= < country >
ST= < Your States >
L= < City or location >
O= < Organization >
OU= <Organizational Unit >
emailAddress= <your email>
CN = <The common name of the cert>
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = < domain #1 >
DNS.2 = < domain #2 >
DNS.3 = < domain #3 >
DNS.4 = < domain #4 >
DNS.5 = < domain #5 >
DNS.6 = < domain #6 >
DNS.7 = < domain #7 >
DNS.8 = < domain #8 >
DNS.9 = < domain #9 >
EOF
)
-----Original Message-----
From: openssl-users
<[email protected]<mailto:[email protected]>>
On Behalf Of Piotr Lobacz
Sent: Monday, May 24, 2021 5:54 AM
To: [email protected]<mailto:[email protected]>
Subject: CSR generation using pkcs11 token engine from C# code
Hi all,
i am currently trying to generate CSR with the usage of tpm2-pkcs11 module
together with pkcs11 engine from opensc and the whole thing running with
openssl api from C# code.
I have checked that my solution works from command line. I have added these
lines:
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH =
/usr/lib/libtpm2_pkcs11.so init = 0
to the /etc/ssl/openssl.cnf configuration file and than this command:
openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256
-engine pkcs11 -keyform engine -key
"pkcs11:token=foo;object=tls;type=private;pin-value=1234567890"
produces CSR for me.
Now i want to do all this, from C# code. I have found a C# library
https://github.com/andyhopp/OpenSsl.DynamicEngine which will load the engine,
but i think that this won't be sufficient in a matter of pkcs11 engine, because
i also need to load pkcs11 module. The question is what should i add to this
library for propper work in means of pkcs11 api? What i mean is to use all this
data from cnf file to configure openssl. Another question is how to execute
this command above for csr from C#? I suspect that because on linux C# sdk uses
openssl api for all cryptographic operations than it should be somehow similar
to the C solution. I would be gratefull if someone could point me at least for
a C solution of this issue.
Best regards
Piotr Lobacz
[https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com<https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png%5d%3chttps:/www.softgent.com>>
Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND
KRS: 0000674406, NIP: 9581679801, REGON: 367090912
www.softgent.com<http://www.softgent.com>
Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego
Rejestru Sądowego
KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
