Ciao Andrejs.
I don't know much about the source code you posted previously but if you build
OpenSSL with the 'enable-capieng' option you'll be able to access every single
store and all the certs stored in Windows.
I hope it helps.
Sergio.
> Date: Mon, 31 Oct 2011 09:44:11 +0100
> From: jb-open...@wisemo.com
> To: openssl-users@openssl.org
> Subject: Re: Using certificate and private key from Windows cert store with
> OpenSSL
>
> In that case look for the CryptoAPI engine for openssl, not sure of its
> official name though.
>
> On 10/29/2011 8:21 AM, Andrejs Štrumfs wrote:
> > Duh... I was sure these were the needed parts. Now, I tried to call
> > CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error,
> > because the certificate was imported to store without Mark as Exportable
> > option. But there has to be way to use certificate and private key somehow
> > with OpenSSL? I'm really beginner with this certificate thing, maybe I just
> > don't understand something? :)
> >
> >> Simple, really:
> >>
> >> You have not set the "private" part of the private key (d, p, q, dmp1,
> >> dmq1, iqmp).
> >>
> >> You need to export the private key from CryptoAPI too, and convert that
> >> blob, not the public key blob.
> >>
> >> Alternatively, I have heard rumors of a "CryptoAPI engine" plug in for
> >> OpenSSL which will let OpenSSL directly use the keys and certificates
> >> stored by Windows.
> >>
> >>
> >> On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote:
> >>> Hi!
> >>>
> >>> I am trying to make a program, that uses some Web Services in Delphi
> >> XE. To connect to the Web Services, i have to use self signed (hope
> >> this is correct term) certificate, which is stored in Windows cert
> >> store. So, i open the cert store with CertOpenSystemStore, get cert
> >> with CertFindCertificateInStore and set it with
> >> SSL_CTX_use_certificate. No problem with this. Then i get the public
> >> key blob with CryptExportKey and make up a private key like this:
> >>> function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength:
> >>> Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var
> >>> modulus: PByte;
> >>> bh: PBLOBHEADER;
> >>> rp: PRSAPUBKEY;
> >>> rsa_modlen: DWORD;
> >>> rsa_modulus: PAnsiChar;
> >>> rkey: PRSA;
> >>> begin
> >>> bh := PBLOBHEADER(AKeyBlob);
> >>> Assert(bh^.bType = PUBLICKEYBLOB);
> >>> rp := PRSAPUBKEY(AKeyBlob + 8);
> >>> Assert(rp.magic = $31415352);
> >>> rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12);
> >>> rkey := RSA_new_method(ASSLCtx.client_cert_engine);
> >>> rkey^.References := 1;
> >>> rkey^.e := BN_new;
> >>> rkey^.n := BN_new;
> >>> BN_set_word(rkey^.e, rp^.pubexp);
> >>> rsa_modlen := (rp^.bitlen div 8) + 1;
> >>> modulus := AllocMem(rsa_modlen);
> >>> CopyMemory(modulus, rsa_modulus, rsa_modlen);
> >>> RevBuffer(modulus, rsa_modlen);
> >>> BN_bin2bn(modulus, rsa_modlen, rkey^.n);
> >>> Result := EVP_PKEY_new;
> >>> EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end;
> >>>
> >>> and set it up with SSL_CTX_use_PrivateKey and
> >> SSL_CTX_check_private_key. Also, no problem so far. But then, when data
> >> transfer begins, i get access violation in libeay32.dll - Access
> >> violation at address 09881C5F in module 'libeay32.dll'. Read of address
> >> 00000000. If i load the key from .pem file, everything is fine.
> >>> The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something
> >> too - got the same error, just different address.
> >>> Below is the RSA structure i get in PrivKeyBlob2RSA:
> >>>
> >>> pad 0
> >>> version 0
> >>> meth $898030C
> >>> engine nil
> >>> n $A62D508
> >>> e $A62D4D8
> >>> d nil
> >>> p nil
> >>> q nil
> >>> dmp1 nil
> >>> dmq1 nil
> >>> iqmp nil
> >>> ex_data (nil, -1163005939 {$BAADF00D}) references 1
> >>> flags 6
> >>> _method_mod_n nil
> >>> _method_mod_p nil
> >>> _method_mod_q nil
> >>> bignum_data nil {#0}
> >>> blinding nil
> >>> mt_blinding nil
> >>>
> >>> I checked the n and e bignums, and they are CORRECT, and everything
> >>> else looks ok. The error happens when calling function ssl_read. I
> >>> can't see what i am doing wrong, please help :) Thanks
> >>>
> >>> Andrejs
> >>>
> >> ______________________________________________________________________
> >> OpenSSL Project http://www.openssl.org
> >> User Support Mailing List openssl-users@openssl.org
> >> Automated List Manager majord...@openssl.org
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majord...@openssl.org
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
