Ziacek Martin wrote:
>
> Well, again short description. I need import pfx file (it is in PKCS12
> format)
> into certificate store of Windows. When certificate is stored in certificate
> store
> with corresponding private keys, it is possible to use it (for encryption
> and signing)
> in MS Outlook. It is enough for test of my project - custom cryptography
> service
> provider DLL. My provider support DSA algorithm, therefore I need DSA keys.
> In my first e-mail I attached generated files (generated by one CA and by
> me).
> Please, look at them.
> MSIE does not import certificates, it just use it from certificate store.
> There
> is a certificate manager (certmgr.exe), and this program does import of
> certificates
> (certificates are stored in registry). When I import pfx file (DSA) to
> certificate store,
> I get error message "Input information is invalid".
> Windows support DSA with its CryptoAPI (look at the page
> http://msdn.microsoft.com/library/psdk/crypto/cryptoref_4dmb.htm), there is
> a list
> with brief description of MS providers. I am not sure, if it is error
> because of some error of Windows (or certmgr.exe, or something else),
> or it is error of openssl. However, I am able to import PKCS12 file with RSA
> keys.
> I am able import X509v3 certificate with public DSA key without any problem.
> Currently I am in very bad situation, because I finished first part of tests
> (with my test program), and I can not continue with second part - test with
> real applications.
>
Windows has supported DSA in CryptoAPI since before MSIE 4.0 but it
didn't support certificates then: attempting to install a DSA CA
certificate resulted in an error. MS Outlook Express of the time would
allow a DSA PKCS#12 file to be imported but attempts to use it to sign
messages resulted in a corrupt PKCS#7 file.
Now it seems it will support DSA CAs up to a point, I've managed to
import some CAs as you suggested. I've also managed to do some tests
which show it can recognise an invalid DSA signature.
I've seen messages in the CryptoAPI mailing list from MS saying Windoze
2000 will support DSA certificates and keys.
It may be that it currently supports DSA keys and certificates but
doesn't "do the right thing" if it has both. It is also possible it
doesn't support DSA PKCS#12 import or the applications can't handle DSA
private key operations.
One way to resolve this is to import a DSA private key and certificate
into CryptoAPI using CryptoAPI calls directly (e.g. CryptImportKey()
with a DSA PRIVATEKEYBLOB) and linking the two up and see if
applications work properly.
If things seem OK the next step is to export a PKCS#12 file and see if
it will re-import it and use the DSA key. If this works then it suggests
a non standard and broken PKCS#12 DSA format: if I can get such a
PKCS#12 file to analyse I'll add an option to support it.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
