-----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, August 07, 2014 3:16 PM To: openssl-users@openssl.org Subject: Re: openssl dgst and capi engine question
> On Sun, Aug 03, 2014, Vladimir Simonov wrote: > > > Hi all, >> >> I'm trying to use openssl command line utility to sign data file with >> key located in Windows Certificates Store. >> I generated 1024 bit dsa private key and certificate. Converted them >> to >> pkcs12 format and imported the certificate into WCS. >> openssl dsaparam -rand $ssl_sign_program -C -out $ssl_dsa_param 1024 >> openssl req -x509 -extensions v3_ca $passout_param -newkey >> dsa:$ssl_dsa_param -keyout $ssl_dsa_priv_key -days 365 -batch -out >> $ssl_dsa_cert >> openssl pkcs12 -export -out $ssl_dsa_priv_key_pkcs12 -inkey >> $ssl_dsa_priv_key -name "KeyPKCS12" -in $ssl_dsa_cert $passin_param >> $passout_param >> >> I expected that below command will work openssl dgst -keyform ENGINE >> -engine capi -sign Company -passin pass:123 -hex -out sig.txt -sha1 >> data_file >> >> But it doesn't. >> Because capi engine doesn't implement pkey_meths and digests. ..... > You can test the key loading using the pkey utility: > openssl pkey -engine capi -inform e -pubout -in DSA > If this works it will output the public part of the key. > The -passin argument isn't used by ENGINE based keys BTW. Steve, thank you for hints! After your answer I've tried "OpenSSL 1.0.1h 5 Jun 2014", earlier I used " OpenSSL 1.0.1e 11 Feb 2013". And now "openssl dgst -sign" works as expected openssl dgst -keyform ENGINE -engine capi -sign Company -hex -sha1 Makefile DSA-SHA1(Makefile)= 302e0215009e06494518c8cbc4ae024e5a5e0641387e7717100215008fc4162abb6bf440d6b7d13b054a55f79ca58742 So now all is almost fine openssl dgst -keyform ENGINE -engine capi -sign Company -out sig -sha1 Makefile openssl dgst -keyform ENGINE -engine capi -prverify Company -signature sig Makefile "Verified OK"! But one, probably, small thing openssl dgst -keyform ENGINE -engine capi -verify Company -signature sig Makefile reports "unable to load key file" If I extract public key "openssl pkey -engine capi -inform e -pubout -in Company > pub_key" result of "openssl dgst -keyform ENGINE -engine capi -verify pub_key -signature sig Makefile" is the same -"unable to load key file" Should it be possible to check signature using public key? Thank you again Vladimir ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org