On 24-07-2012 19:31, Nou Dadoun wrote:
Hey folks,
I recently added a facility to our code base to retrieve a certificate and
private key from a windows certificate store (using the windows crypto api) and
converted it to a form usable by openssl. The certificate part was easy, the
key a little trickier, involving the creation of a new rsa key pair in openssl
and then modifying the parameters to match those derived from the
privatekeyblob pulled from the windows cert data structure.
You are doing it very, very wrong.
A key feature of MS CryptoApi (and of most other engines) is that they
are designed not to give you the key, ever.
To get the privatekeyblob from CryptoApi, the key store has to be badly
misconfigured (specifically, the key has to be stored in the registry
*and* marked as "exportable" with an password that your code can access
without user assistance).
The right way is to use the engine functionality in OpenSSL to let
OpenSSL use the key without ever extracting it from CryptoAPI. This
works by telling OpenSSL to use the "engine for CryptoAPI" to do the
secret key operation (DSA signing in your current case), the "engine for
CryptoAPI" will then turn the OpenSSL DSA signing call into a CryptoAPI
signing call, which CryptoAPI can then perform without exporting or
otherwise revealing the secret key.
For FIPS certified uses, you then need to enable FIPS mode in both
OpenSSL (so OpenSSL will only use the FIPS certified and approved
algorithms) and in CryptoAPI (this is set in "Administrative Tools" ->
"Local Security Policy" -> "Security Settings" -> "Local Policies" ->
"Security Options" -> "System cryptography: Use FIPS compliant
algorithms for encryption, hashing and signing").
For added security, install a FIPS certified hardware key storage (such
as certain models of Spyrus smart cards) and its Windows drivers so its
keys are then reached through CryptoAPI calls (to CryptoAPI, the
registry stored keys are just a fallback driver emulating such hardware
with less security). Alternatively, you could install the Windows
PKCS#11 driver for the hardware and use OpenSSL's pkcs11 engine to
access it, but someone recently posted problems using the PKCS#11 engine
with FIPS enabled.
This was all done for RSA keys and although I had a number of false starts, it
wasn't too painful (once I'd arranged for exportable keys and got out of
windows api land as quickly as possible).
We've just had a customer request to support the use of DSA certificates which
I know little about (so far), can the same general process be used to
extract/convert DSA keys (I'm assuming that the certificate encoding is
essentially the same).
Does anyone have experience with this? Any pointers or links to documentation
for how this might be done?
Thanks in advance .... N
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
