Re: [DEV] OpenSSL and Microsoft Windows
Hello, Thanks for your answer but it wasn't what I need. I forgot to say it was question about programming with OpenSSL API. I need to port a small application using openssl to make TLS tunnels. This application use SSL_CTX_use_certificate_chain_file(ctx, certfile)); to load the client certificate. certfile is the filename of the certificate (client.pem). The thing is I need to import a specific certificate from "Certificate Store" on Microsoft Windows and dump it into SSL_CTX_use_certificate_chain_file (or an equivalement function). Maybe I can dump the certificate in DER format using CAPICOM API (I think this is the only way to get a certificate from the certificate store unless using .NET) to a tempory file and then load it with OpenSSL. But it wouldn't be secure at all. Btw, is there a nice OpenSSL programming manual available on the internet ? I only can find some short tutorial, and manpages. On Wed, 26 Apr 2006 06:39:08 -0700, Jeff Saxton <[EMAIL PROTECTED]> wrote: > openssl x509 -inform DER -in MS_CERT -outform PEM -out OPENSSL_CERT > > Matthieu BONETTI wrote: >> Hello, >> >> Is there a way to use Microsoft stored certificates with OpenSSL? I > can't find anything on this. >> I can access to those certificates using CAPICOM, but OpenSSL requires a > PEM file. >> >> Regards, >> > > -- > Jeff Saxton > SenSage, Inc. > 55 Hawthorne Street Suite 700 > San Francisco, CA 94105 > Phone: 415.808.5900 > Fax:415.371.1385 > Direct: 415-808-5921 > Cell: 415-640-6392 > mailto:[EMAIL PROTECTED] > > Enterprise Security Analytics > > SenSage, the leading provider of enterprise security analytics, offers > unparalleled performance and a scalable means for organizations to > centrally > aggregate, efficiently analyze, dynamically monitor and cost-effectively > store massive volumes of event log data. -- Matthieu Bonetti Mobile. +33 684 957 844 - Portable. 06 84 95 78 44 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [DEV] OpenSSL and Microsoft Windows
Matthieu BONETTI wrote: > The thing is I need to > import a specific certificate from "Certificate Store" > on Microsoft Windows and dump it into SSL_CTX_use_certificate_chain_file > (or an equivalement function). I think you can use d2i_X509() and X509_STORE_add_cert() I used crypoapi to get a cert from Windows certificate stores. CertOpenStore(), CertEnumCertificatesInStore() Then this line (Delphi): X509 := d2i_X509(nil, @pCertContext.pbCertEncoded, pCertContext.cbCertEncoded); Arno Garrels __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [DEV] OpenSSL and Microsoft Windows
I think yes. MS stores certificates in DER format. You can pass it to OpenSSL with "-inform DER" key. Or you can convert DER to PEM with OpenSSL. > Hello, > > Is there a way to use Microsoft stored certificates with OpenSSL? I can\'t > find anything on this. > I can access to those certificates using CAPICOM, but OpenSSL requires a PEM > file. > > Regards, > > -- > Matthieu Bonetti > Mobile. +33 684 957 844 - Portable. 06 84 95 78 44 > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [DEV] OpenSSL and Microsoft Windows
Technically, DER is Distinguished Encoding Rules, a subset of Basic Encoding Rules. OpenSSL can use '-inform DER' to state that it's in DER instead of PEM. PEM is just an ASCII-64 version (akin to uuencoding) of the DER data. [and don't get me started on XER.] -Kyle H On 4/27/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I think yes. MS stores certificates in DER format. You can pass it to OpenSSL > with "-inform DER" key. Or you can convert DER to PEM with OpenSSL. > > > > Hello, > > > > Is there a way to use Microsoft stored certificates with OpenSSL? I can\'t > > find anything on this. > > I can access to those certificates using CAPICOM, but OpenSSL requires a > > PEM file. > > > > Regards, > > > > -- > > Matthieu Bonetti > > Mobile. +33 684 957 844 - Portable. 06 84 95 78 44 > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [DEV] OpenSSL and Microsoft Windows
Hello, I agree on the fact that MS can import/export certificates in DER format (and pk12 as well). I'm not familiar with MS system and MS programmation but I understood that Windows really stores certificates in pieces (In the registry, in files in UserData directory). So what I need is to get the certificate (with MS Capicom API) and change it to feet into a X509 structure. That way, it would be possible for me to use the certificate with OpenSSL. On Thu, 27 Apr 2006 12:19:33 +0400 (MSD), [EMAIL PROTECTED] wrote: > I think yes. MS stores certificates in DER format. You can pass it to > OpenSSL with "-inform DER" key. Or you can convert DER to PEM with > OpenSSL. > > >> Hello, >> >> Is there a way to use Microsoft stored certificates with OpenSSL? I > can\'t find anything on this. >> I can access to those certificates using CAPICOM, but OpenSSL requires a > PEM file. >> >> Regards, >> >> -- >> Matthieu Bonetti >> Mobile. +33 684 957 844 - Portable. 06 84 95 78 44 >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] -- Matthieu Bonetti Mobile. +33 684 957 844 - Portable. 06 84 95 78 44 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [DEV] OpenSSL and Microsoft Windows
If it's exported as a DER file, it's already in an X509 structure. If it's exported as a PKCS#12 file, then OpenSSL has tools for parsing that too. I don't really understand what your problem is. MS's cryptography system is built around the concept of FIPS compliance. That means that it's almost impossible to get the certificates and keys out of it without going through its defined interfaces. This means, on windows 2000+, using certmgr.msc to manage them and export them to DER or P12. -Kyle H On 4/27/06, Matthieu BONETTI <[EMAIL PROTECTED]> wrote: > Hello, > > I agree on the fact that MS can import/export certificates in DER format (and > pk12 as well). > I'm not familiar with MS system and MS programmation but I understood that > Windows really stores > certificates in pieces (In the registry, in files in UserData directory). So > what I need is to > get the certificate (with MS Capicom API) and change it to feet into a X509 > structure. > > That way, it would be possible for me to use the certificate with OpenSSL. > > On Thu, 27 Apr 2006 12:19:33 +0400 (MSD), [EMAIL PROTECTED] wrote: > > I think yes. MS stores certificates in DER format. You can pass it to > > OpenSSL with "-inform DER" key. Or you can convert DER to PEM with > > OpenSSL. > > > > > >> Hello, > >> > >> Is there a way to use Microsoft stored certificates with OpenSSL? I > > can\'t find anything on this. > >> I can access to those certificates using CAPICOM, but OpenSSL requires a > > PEM file. > >> > >> Regards, > >> > >> -- > >> Matthieu Bonetti > >> Mobile. +33 684 957 844 - Portable. 06 84 95 78 44 > >> > >> __ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing Listopenssl-users@openssl.org > >> Automated List Manager [EMAIL PROTECTED] > >> > > > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > -- > Matthieu Bonetti > Mobile. +33 684 957 844 - Portable. 06 84 95 78 44 > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [DEV] OpenSSL and Microsoft Windows
On Thu, Apr 27, 2006, Matthieu BONETTI wrote: > Hello, > > I agree on the fact that MS can import/export certificates in DER format (and > pk12 as well). > I'm not familiar with MS system and MS programmation but I understood that > Windows really stores > certificates in pieces (In the registry, in files in UserData directory). So > what I need is to > get the certificate (with MS Capicom API) and change it to feet into a X509 > structure. > > That way, it would be possible for me to use the certificate with OpenSSL. > If you are using C then CryptoAPI is probably the easiest thing to use. If you look at all the Cert*() functions you'll find loads of stuff for locating the certificate you are interested in. These often return a pointer to a CERT_CONTEXT structure. The buffer at pbCertEncoded for cbCertEncoded bytes contains the DER form. >From those you can create an X509 structure using d2i_X509(): don't forget the FAQ comment about using a temp pointer. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
