Closed matsujirushi closed 3 years ago
I wrote the x509certificate variable:
static const char* x509certificate = "pkcs11:token=MCHP;object=device;type=cert";
Hi @matsujirushi thanks for the message.
Are you able to use this to help guide you using PKCS11?
Copied here is the relevant section:
// Example using PKCS#11 OpenSSL ENGINE (https://github.com/OpenSC/libp11)
// The OpenSSL ENGINE must be associated to a pkcs11 module within openssl.cnf.
static const char* opensslEngine = "pkcs11";
static const OPTION_OPENSSL_KEY_TYPE x509_key_from_engine = KEY_TYPE_ENGINE;
// Certificate can be extracted from the PKCS#11 library using pkcs11-tool from OpenSC.
static const char* x509certificate =
"-----BEGIN CERTIFICATE-----\n"
"MIIBMTCB1wIUTu66kxJIBR5t5IkAwh7Lqm/AM+IwCgYIKoZIzj0EAwIwGzEZMBcG\n"
// [...]
"DItkq1MHqzqExB1eTrMHQVY11w62\n"
"-----END CERTIFICATE-----\n";
// The private key contains the PKCS#11 URI.
static const char* x509privatekey = "pkcs11:object=ec-privkey;type=private?pin-value=1234";
Hi @danewalton , Thank you for reply.
It working my environment when x509privatekey use pkcs11 and x509certificate is hard-code (NOT use pkcs11). I want to use the certificate in the ATECC608A-TNGTLS, so I made the following changes. Then an error occurred.
static const char* x509certificate = "pkcs11:token=MCHP;object=device;type=cert";
Yes right now we only have support for loading the private key from an engine. Here is the call to make that happen: https://github.com/Azure/azure-c-shared-utility/blob/64ea7a9359d9f431a713658cb95bbd0c426c8e3c/adapters/x509_openssl.c#L241
The equivalent call to ENGINE_load_public_key()
is not in our code base and therefore the loading comes from
https://github.com/Azure/azure-c-shared-utility/blob/64ea7a9359d9f431a713658cb95bbd0c426c8e3c/adapters/x509_openssl.c#L311
TLDR: we don't support that right now. I will move this to a discussion as a feature ask though.
Using ATECC608A-TNGTLS certificate in iothub_ll_client_x509_sample causes an error.
https://github.com/Azure/azure-c-shared-utility/blob/e4d74dce9af5e885f0f26b4f9d2f693b358b6455/adapters/x509_openssl.c#L57
However, I can get the certificate chain using p11tool.
I don't know how to find out. Could you give me some advice?