Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows.
I hope it helps. Sergio. > Date: Mon, 31 Oct 2011 09:44:11 +0100 > From: jb-open...@wisemo.com > To: openssl-users@openssl.org > Subject: Re: Using certificate and private key from Windows cert store with > OpenSSL > > In that case look for the CryptoAPI engine for openssl, not sure of its > official name though. > > On 10/29/2011 8:21 AM, Andrejs Štrumfs wrote: > > Duh... I was sure these were the needed parts. Now, I tried to call > > CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error, > > because the certificate was imported to store without Mark as Exportable > > option. But there has to be way to use certificate and private key somehow > > with OpenSSL? I'm really beginner with this certificate thing, maybe I just > > don't understand something? :) > > > >> Simple, really: > >> > >> You have not set the "private" part of the private key (d, p, q, dmp1, > >> dmq1, iqmp). > >> > >> You need to export the private key from CryptoAPI too, and convert that > >> blob, not the public key blob. > >> > >> Alternatively, I have heard rumors of a "CryptoAPI engine" plug in for > >> OpenSSL which will let OpenSSL directly use the keys and certificates > >> stored by Windows. > >> > >> > >> On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: > >>> Hi! > >>> > >>> I am trying to make a program, that uses some Web Services in Delphi > >> XE. To connect to the Web Services, i have to use self signed (hope > >> this is correct term) certificate, which is stored in Windows cert > >> store. So, i open the cert store with CertOpenSystemStore, get cert > >> with CertFindCertificateInStore and set it with > >> SSL_CTX_use_certificate. No problem with this. Then i get the public > >> key blob with CryptExportKey and make up a private key like this: > >>> function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: > >>> Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var > >>> modulus: PByte; > >>> bh: PBLOBHEADER; > >>> rp: PRSAPUBKEY; > >>> rsa_modlen: DWORD; > >>> rsa_modulus: PAnsiChar; > >>> rkey: PRSA; > >>> begin > >>> bh := PBLOBHEADER(AKeyBlob); > >>> Assert(bh^.bType = PUBLICKEYBLOB); > >>> rp := PRSAPUBKEY(AKeyBlob + 8); > >>> Assert(rp.magic = $31415352); > >>> rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); > >>> rkey := RSA_new_method(ASSLCtx.client_cert_engine); > >>> rkey^.References := 1; > >>> rkey^.e := BN_new; > >>> rkey^.n := BN_new; > >>> BN_set_word(rkey^.e, rp^.pubexp); > >>> rsa_modlen := (rp^.bitlen div 8) + 1; > >>> modulus := AllocMem(rsa_modlen); > >>> CopyMemory(modulus, rsa_modulus, rsa_modlen); > >>> RevBuffer(modulus, rsa_modlen); > >>> BN_bin2bn(modulus, rsa_modlen, rkey^.n); > >>> Result := EVP_PKEY_new; > >>> EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; > >>> > >>> and set it up with SSL_CTX_use_PrivateKey and > >> SSL_CTX_check_private_key. Also, no problem so far. But then, when data > >> transfer begins, i get access violation in libeay32.dll - Access > >> violation at address 09881C5F in module 'libeay32.dll'. Read of address > >> 00000000. If i load the key from .pem file, everything is fine. > >>> The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something > >> too - got the same error, just different address. > >>> Below is the RSA structure i get in PrivKeyBlob2RSA: > >>> > >>> pad 0 > >>> version 0 > >>> meth $898030C > >>> engine nil > >>> n $A62D508 > >>> e $A62D4D8 > >>> d nil > >>> p nil > >>> q nil > >>> dmp1 nil > >>> dmq1 nil > >>> iqmp nil > >>> ex_data (nil, -1163005939 {$BAADF00D}) references 1 > >>> flags 6 > >>> _method_mod_n nil > >>> _method_mod_p nil > >>> _method_mod_q nil > >>> bignum_data nil {#0} > >>> blinding nil > >>> mt_blinding nil > >>> > >>> I checked the n and e bignums, and they are CORRECT, and everything > >>> else looks ok. The error happens when calling function ssl_read. I > >>> can't see what i am doing wrong, please help :) Thanks > >>> > >>> Andrejs > >>> > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org