Thanks Jakob! I received the suggestion of using the CAPI engine from this list when I initially laid out my problem earlier in the year; unfortunately I couldn't find any documentation on how to use it let alone tailor its functionality to my requirements (e.g. selecting certificates based on friendly name with some rudimentary wildcard sni matching etc.) I suppose I could use the CAPI directly to select the certificate if I could tell the CAPI engine to do ssl-required cryptographic operations using that certificate subsequently.
We're currently working with 0.98n (upgrading is on the horizon but not imminent) - is there any documentation anywhere on how this might be accomplished? Thanks again ... N --- Nou Dadoun ndad...@teradici.com 604-628-1215 -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: July 25, 2012 2:22 AM To: openssl-users@openssl.org Subject: Re: DSA certificates from windows certificate store into openssl On 24-07-2012 19:31, Nou Dadoun wrote: > Hey folks, > I recently added a facility to our code base to retrieve a certificate and > private key from a windows certificate store (using the windows crypto api) > and converted it to a form usable by openssl. The certificate part was easy, > the key a little trickier, involving the creation of a new rsa key pair in > openssl and then modifying the parameters to match those derived from the > privatekeyblob pulled from the windows cert data structure. You are doing it very, very wrong. A key feature of MS CryptoApi (and of most other engines) is that they are designed not to give you the key, ever. To get the privatekeyblob from CryptoApi, the key store has to be badly misconfigured (specifically, the key has to be stored in the registry *and* marked as "exportable" with an password that your code can access without user assistance). The right way is to use the engine functionality in OpenSSL to let OpenSSL use the key without ever extracting it from CryptoAPI. This works by telling OpenSSL to use the "engine for CryptoAPI" to do the secret key operation (DSA signing in your current case), the "engine for CryptoAPI" will then turn the OpenSSL DSA signing call into a CryptoAPI signing call, which CryptoAPI can then perform without exporting or otherwise revealing the secret key. For FIPS certified uses, you then need to enable FIPS mode in both OpenSSL (so OpenSSL will only use the FIPS certified and approved algorithms) and in CryptoAPI (this is set in "Administrative Tools" -> "Local Security Policy" -> "Security Settings" -> "Local Policies" -> "Security Options" -> "System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing"). For added security, install a FIPS certified hardware key storage (such as certain models of Spyrus smart cards) and its Windows drivers so its keys are then reached through CryptoAPI calls (to CryptoAPI, the registry stored keys are just a fallback driver emulating such hardware with less security). Alternatively, you could install the Windows PKCS#11 driver for the hardware and use OpenSSL's pkcs11 engine to access it, but someone recently posted problems using the PKCS#11 engine with FIPS enabled. > This was all done for RSA keys and although I had a number of false starts, > it wasn't too painful (once I'd arranged for exportable keys and got out of > windows api land as quickly as possible). > > We've just had a customer request to support the use of DSA certificates > which I know little about (so far), can the same general process be used to > extract/convert DSA keys (I'm assuming that the certificate encoding is > essentially the same). > > Does anyone have experience with this? Any pointers or links to > documentation for how this might be done? > > Thanks in advance .... N > -- Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10 <call:+4531131610> This message is only for its intended recipient, delete if misaddressed. WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
