Hi all, I'm trying to use openssl command line utility to sign data file with key located in Windows Certificates Store. I generated 1024 bit dsa private key and certificate. Converted them to pkcs12 format and imported the certificate into WCS. openssl dsaparam -rand $ssl_sign_program -C -out $ssl_dsa_param 1024 openssl req -x509 -extensions v3_ca $passout_param -newkey dsa:$ssl_dsa_param -keyout $ssl_dsa_priv_key -days 365 -batch -out $ssl_dsa_cert openssl pkcs12 -export -out $ssl_dsa_priv_key_pkcs12 -inkey $ssl_dsa_priv_key -name "KeyPKCS12" -in $ssl_dsa_cert $passin_param $passout_param
I expected that below command will work openssl dgst -keyform ENGINE -engine capi -sign Company -passin pass:123 -hex -out sig.txt -sha1 data_file But it doesn't. Because capi engine doesn't implement pkey_meths and digests. I can't configure engine to set these fields via openssl.conf. So my first question - is it possible to configure capi engine's pkey_meths and digests via openssl.conf? In "openssl dgst -keyform ENGINE ..." command. Also I can't tune engine's parameters like debug_file and debug_level via openssl.conf. If it is possible I need some hints about openssl.conf syntax. I hacked engines/e_capi.c - implemented pkey_meths and digests methods. See patch attached. My openssl.cnf is also attached. With it openssl dgst -keyform ENGINE -engine capi -sign Company -passin pass:123 -hex -out sig.txt -sha1 data_file somehow works and provides DSA-SHA1(data_file)= 302e021500a9eef69a52e5e3f115a7e42164251b08e304a8c3021500e207a4d7e3a45bf35ac5d09c325c7b9a1c01207f But if I sign the same file using initial private key in pem format openssl dgst -hex -sign dsa_priv.key -out sig1.txt -passin pass:123 -sha1 data_file I get get different signature DSA-SHA1(data_file)= 302d021500a26c908bf9f345d4a2035800725fb00615e56fca02144237ba4965b7c6ff763ccb30adf9d19dc4f13e0d Could somebody explain what is wrong? Thank you in advance Vladimir
openssl_capi.diff
Description: openssl_capi.diff
openssl.cnf
Description: openssl.cnf