Hi, I am working with the CAPI engine and the machine keystore where I do have keys and certificates. To find my key, the engine will execute `capi_open_store()` which works just fine and pays respect to the store_flags set. I set these flags with `ENGINE_ctrl(e, ENGINE_CMD_BASE + 13, 1, NULL, NULL)` which works just fine. It does find the container and everything but upon calling `capi_get_key()` it will run until `CryptAcquireContextA(&key->hprov, contname, provname, ptype, 0)`.
The problem here lies within the last parameter as it is set to `0`. According to http://msdn.microsoft.com/en-us/library/windows/desktop/aa379886%28v=vs.85%29.aspx the last parameter are `dwFlags [in]` where CRYPT_MACHINE_KEYSET is one possible flag. This flag is required if you want to access a container that uses the machine keyset, which for example the tool `certreq` does if ordered so. Accessing a key created in this way is not possible with the CAPI engine as of now. So my suggestion is either to enable setting more complex flags or making a simple check (see attached diff for simple solution). This will now check whether the machine store was chosen and will set the dwFlag accordingly. I am not that familiar with the CryptoAPI to say this would be the only modification need. Maybe there even is a reason why it is not implemented yet and I am overlooking it. My problem occured when executing certreq while specifying the `MachineKeySet=TRUE` option. Anyone involved with the developement might be able to react to this. Regards, Florian
diff --git a/master:engines/e_capi.c b/capi_machinekeyset:engines/e_capi.c index bfedde0..c1085b5 100644 --- a/master:engines/e_capi.c +++ b/capi_machinekeyset:engines/e_capi.c @@ -1432,10 +1432,13 @@ static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE h static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provname, DWORD ptype, DWORD keyspec) { CAPI_KEY *key; + DWORD dwFlags = 0; key = OPENSSL_malloc(sizeof(CAPI_KEY)); CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", contname, provname, ptype); - if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, 0)) + if(ctx->store_flags & CERT_SYSTEM_STORE_LOCAL_MACHINE) + dwFlags = CRYPT_MACHINE_KEYSET; + if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, dwFlags)) { CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR); capi_addlasterror();