Hi,
In trying to implement integration of my application that uses OpenSSL with
nCipher HSM using CryptoAPI, I am stuck with a rather conceptual issue. First
let me explain the steps that I was able to do successfully (hopefully I'm
doing these right and this will be a helpful summarization for others), and
then I'll come to my question.
First things first- I created the keys and a certificate.
1. First of, I started with creating a CryptoAPI container called
"fooContainer" (using the nCipher CSP and hence generated on the HSM), and
within it, key pairs for Signature and Exchange. I achieved this using the
nCipher utility- keytst.exe
2. Then, using Microsoft SDK's makecert.exe utility, I created a self-signed
.PEM certificate from the Exchange key pair.
Next, integration of CAPI engine and hardware keys with existing OpenSSL
implementation-
3. My application was designed to use OpenSSL with software key storage. Thus,
it already uses OpenSSL function calls- SSL_CTX_use_PrivateKey_file() and
SSL_CTX_use_certificate_chain_file() and makes use of the private key and
certificate stored on disk during the SSL connection establishment. And so my
goal is to modify the application up to this point and set the SSL context
structures with appropriate values, so that it can use the new private key and
certificate.
4. So I initialized the CAPI engine using the following set of functions-
ENGINE_load_capi(),
ENGINE_by_id( engine_id );
ENGINE_init( e );
ENGINE_set_default( e, ENGINE_METHOD_ALL ),
5. Then, to load the private key from the card, I configured the Engine to use
the right CSP and container name as follows-
ENGINE_ctrl_cmd_string( e, "csp_name", "nCipher Enhanced Cryptographic
Provider", 0),
ENGINE_ctrl_cmd_string( e, "lookup_method", "3" /*container name*/, 0),
ENGINE_ctrl_cmd_string( e, "key_type", "1" /*AT_EXCHANGE (default)*/, 0)
6. Finally, I load the Private Key into an EVP_PKEY structure using-
prikey = (EVP_PKEY *) ENGINE_load_private_key( e, "fooContainer", NULL,
NULL );
I see that my prikey is loaded successfully.
7. Eventually, I load the Private Key into the SSL context using-
SSL_CTX_use_PrivateKey( sslCtx, prikey );
This also succeeds.
8. Now, I want to load the certificate into the same SSL Context.
At first I tried using the simple-
ENGINE_load_ssl_client_cert()
on the certificate file generated earlier, but that failed. I can
understand why- the certificate is encrypted (self-signed).
So it seems like the function that I would want to use instead
is-
ENGINE_load_ssl_client_certificate()
But I'm not entirely sure if the same certificate is supposed to go
into the context as "client" certificate and if I am trying to do the right
thing.
Can someone please point me in the right direction? Hopefully I've included all
information that is relevant to my question.
Thank you,
Sunjeet
