For one I know CAPI doesn't support OAEP yet (not part of the TLS spec, right?) but yes I was confused by the padding they used. Eventually I realized that the padding the MS CAPI uses is dependent upon the context of the RSA operation, signing or key-exchange. When encrypting w/ the public key PKCS #1 type 2 is used, when encrypting w/ the private key PKCS #1 type 1 is used (for some this is overtly obvious). I ultimately got around my own confusion by implementing the new sign/verify hooks of the OpenSSL engine interface, directly interfacing to the analogous calls of MS CAPI. As a bit of trivia the MS CAPI has reserved an OAEP flag but of course it is documented that it's perfectly useless (thanks for nothing MS).
--- Fr�d�ric_Giudicelli <[EMAIL PROTECTED]> wrote: > Ok. > > Didn't you have to many problems with the PADDING ? If I recall well CAPI > doesn't suppport all the PADDINGS used by opnessl. > > Fr�d�ric Giudicelli > http://www.newpki.org > > > ----- Original Message ----- > From: "Bryce Howard" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, June 10, 2003 9:20 AM > Subject: Re: MS CAPI OpenSSL Engine? > > > > > > In summary the MS CAPI engine provides: > > - Support for RSA signing and verification operations that will work w/ > > non-exportable MS CAPI private keys, should work with any CAPI-compliant > HW > > token (testing it w/ Rainbow iKey's this week) > > - Full access to any MS CAPI keystore, implemented a certificate lookup > library > > that implements the X509_LOOKUP_METHOD "interface" (thus when verifying > the > > certificate chain the MS CAPI "Root" and "CA" keystores can be used) > > - Engine interface to MS CAPI random number generator > > - SSL interface to allow visual selection of client certificate during > > negotiation phase (IE/Mozilla style, using an SSL (undocumented?) hook) > > > > --- Fr�d�ric_Giudicelli <[EMAIL PROTECTED]> wrote: > > > I already did this announce, but nobody seemed to care at the time :) > > > > > > I developed some BIO support for the MS SSPI, allowing to initiate from > > > openssl some SSL connection using a MS PCERT_CONTEXT, I would gladely > > > provide it to the OpenSSL project. > > > > > > Does your engine provide access to the certificate, or just the RSA > bi-key ? > > > > > > > > > Fr�d�ric Giudicelli > > > http://www.newpki.org > > > > > > > > > > > > ______________________________________________________________________ > > > OpenSSL Project http://www.openssl.org > > > Development Mailing List [EMAIL PROTECTED] > > > Automated List Manager [EMAIL PROTECTED] > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Calendar - Free online calendar with sync to Outlook(TM). > > http://calendar.yahoo.com > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > Development Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
