Re: OpenSSL - CryptoAPI - nCipher
> The it is probably DER format. Use d2i_X509_fp instead and make sure you open > the fp in binary mode. > > Steve. Yes, indeed. It worked! Thanks again for your quick reply. Sunjeet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL - CryptoAPI - nCipher
On Wed, Mar 14, 2012, Sunjeet Singh wrote: > >> 8. Now, I want to load the certificate into the same SSL Context. > >>At first I tried using the simple- > >>ENGINE_load_ssl_client_cert() > >>on the certificate file generated earlier, but that failed. I can > >> understand why- the certificate is encrypted (self-signed). > >>So it seems like the function that I would want to use instead > >> is- > >>ENGINE_load_ssl_client_certificate() > >>But I'm not entirely sure if the same certificate is supposed to go > >> into the context as "client" certificate and if I am trying to do the > >> right thing. > >> > >> > >> Can someone please point me in the right direction? Hopefully I've > >> included all information that is relevant to my question. > >> > > > > Forget about the ENGINE for this step. You can load the certificate into an > > X509 structure and pass that to the SSL_CTX. > > > > How you do that depends on the certificate format. If it is PEM format you > > can > > use PEM_read_X509. If DER the d2i_X509_fp will do the trick. > > > > Hi Steve, thanks for your reply. While it's definitely helped me take another > step in the right direction, I've run into a problem when using the > PEM_read_X509() function. > > The error string that I get from the function call is "_base = 0x047329a8 > "6632:error:0906D06C:PEM > routines:func(109):reason(108):.\crypto\pem\pem_lib.c:696:Expecting: > CERTIFICATE". > And when I open my foocert.PEM file in a text editor, it is not readable. > The it is probably DER format. Use d2i_X509_fp instead and make sure you open the fp in binary mode. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL - CryptoAPI - nCipher
>> 8. Now, I want to load the certificate into the same SSL Context. >> At first I tried using the simple- >> ENGINE_load_ssl_client_cert() >> on the certificate file generated earlier, but that failed. I can >> understand why- the certificate is encrypted (self-signed). >> So it seems like the function that I would want to use instead >> is- >> ENGINE_load_ssl_client_certificate() >> But I'm not entirely sure if the same certificate is supposed to go >> into the context as "client" certificate and if I am trying to do the right >> thing. >> >> >> Can someone please point me in the right direction? Hopefully I've included >> all information that is relevant to my question. >> > > Forget about the ENGINE for this step. You can load the certificate into an > X509 structure and pass that to the SSL_CTX. > > How you do that depends on the certificate format. If it is PEM format you can > use PEM_read_X509. If DER the d2i_X509_fp will do the trick. > Hi Steve, thanks for your reply. While it's definitely helped me take another step in the right direction, I've run into a problem when using the PEM_read_X509() function. The error string that I get from the function call is "_base = 0x047329a8 "6632:error:0906D06C:PEM routines:func(109):reason(108):.\crypto\pem\pem_lib.c:696:Expecting: CERTIFICATE". And when I open my foocert.PEM file in a text editor, it is not readable. Going back to how I created it: I used the command string- makecert -r -sk fooContainer -sp "nCipher Enhanced Security Provider" -sky exchange foocert.pem When my working code was using software key storage earlier, my .PEM looked like a readable text file of the form- -BEGIN CERTIFICATE- 9w0BA ... TKekJ== -END CERTIFICATE- ...but ofcourse that was created using an "openssl x509" command since my private and public key files were available on the disk. So I guess the question now really is- How do you create a .PEM X509 self-signed certificate for a CAPI key that is stored in a container on the nCipher hardware? This might be the last hurdle for my OpenSSL integration with nCipher. Thank you, Sunjeet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL - CryptoAPI - nCipher
On Tue, Mar 13, 2012, Sunjeet Singh wrote: > 8. Now, I want to load the certificate into the same SSL Context. > At first I tried using the simple- > ENGINE_load_ssl_client_cert() > on the certificate file generated earlier, but that failed. I can > understand why- the certificate is encrypted (self-signed). > So it seems like the function that I would want to use instead > is- > ENGINE_load_ssl_client_certificate() > But I'm not entirely sure if the same certificate is supposed to go > into the context as "client" certificate and if I am trying to do the right > thing. > > > Can someone please point me in the right direction? Hopefully I've included > all information that is relevant to my question. > Forget about the ENGINE for this step. You can load the certificate into an X509 structure and pass that to the SSL_CTX. How you do that depends on the certificate format. If it is PEM format you can use PEM_read_X509. If DER the d2i_X509_fp will do the trick. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL - CryptoAPI - nCipher
Hi, In trying to implement integration of my application that uses OpenSSL with nCipher HSM using CryptoAPI, I am stuck with a rather conceptual issue. First let me explain the steps that I was able to do successfully (hopefully I'm doing these right and this will be a helpful summarization for others), and then I'll come to my question. First things first- I created the keys and a certificate. 1. First of, I started with creating a CryptoAPI container called "fooContainer" (using the nCipher CSP and hence generated on the HSM), and within it, key pairs for Signature and Exchange. I achieved this using the nCipher utility- keytst.exe 2. Then, using Microsoft SDK's makecert.exe utility, I created a self-signed .PEM certificate from the Exchange key pair. Next, integration of CAPI engine and hardware keys with existing OpenSSL implementation- 3. My application was designed to use OpenSSL with software key storage. Thus, it already uses OpenSSL function calls- SSL_CTX_use_PrivateKey_file() and SSL_CTX_use_certificate_chain_file() and makes use of the private key and certificate stored on disk during the SSL connection establishment. And so my goal is to modify the application up to this point and set the SSL context structures with appropriate values, so that it can use the new private key and certificate. 4. So I initialized the CAPI engine using the following set of functions- ENGINE_load_capi(), ENGINE_by_id( engine_id ); ENGINE_init( e ); ENGINE_set_default( e, ENGINE_METHOD_ALL ), 5. Then, to load the private key from the card, I configured the Engine to use the right CSP and container name as follows- ENGINE_ctrl_cmd_string( e, "csp_name", "nCipher Enhanced Cryptographic Provider", 0), ENGINE_ctrl_cmd_string( e, "lookup_method", "3" /*container name*/, 0), ENGINE_ctrl_cmd_string( e, "key_type", "1" /*AT_EXCHANGE (default)*/, 0) 6. Finally, I load the Private Key into an EVP_PKEY structure using- prikey = (EVP_PKEY *) ENGINE_load_private_key( e, "fooContainer", NULL, NULL ); I see that my prikey is loaded successfully. 7. Eventually, I load the Private Key into the SSL context using- SSL_CTX_use_PrivateKey( sslCtx, prikey ); This also succeeds. 8. Now, I want to load the certificate into the same SSL Context. At first I tried using the simple- ENGINE_load_ssl_client_cert() on the certificate file generated earlier, but that failed. I can understand why- the certificate is encrypted (self-signed). So it seems like the function that I would want to use instead is- ENGINE_load_ssl_client_certificate() But I'm not entirely sure if the same certificate is supposed to go into the context as "client" certificate and if I am trying to do the right thing. Can someone please point me in the right direction? Hopefully I've included all information that is relevant to my question. Thank you, Sunjeet
