Thanks for the reply kyle. This makes things better. I have searched for documentation on engine, in the docs but only found engine.pod which is a reference. Is there a tutorial somewhere which explains how to write an engine? Also, how much expertise (openssl) does one need to write an engine?
Are there any engines which do key-loading in the codebase, which i can look at? a grep -r * did not revel much). Thanks, -Suman On 7/17/06, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
OpenSSL has its own data store in the form of PKCS-formatted files. This allows for it to operate on any platform, not just Windows. This causes issues when dealing with the Windows cryptoapi data store, though. The proper way to implement this would be as an engine, as you're using external capabilities which give no access to the key material -- thus, OpenSSL's functions themselves have no with which to work. Writing it as an engine woud make it such that OpenSSL's API will already know how to do the work, by foisting it off onto an external implementation. Cheers, -Kyle H On 7/16/06, Suman Karumuri <[EMAIL PROTECTED]> wrote: > Hi all, > > I want to write a patch to openssl so that it can directly use a > private key stored > in windows certificate store. For this i am planning to write a > proxies for sign and decrypt functions. This proxy will use the > private key stored in windows certificate which is not marked as > exportable and which is password protected. > > These sign and decrypt functions will be called via php's openssl > library. Since these keys are not exportable and are password > protected, a work around from php is not possible. ( A solution i got > from the archives). I am planning to use the windows cryptography API > (CAPI) to access the windows certificate store. > > Here are some questions i am trying to find answers for: > > 1) How difficult/easy is it make these changes? ( I am only interested > in the sign and decrypt functions). > > 2) Has anyone written a patch already to do this? (I have not found > anything related on the contrib page). > > 3) Upon browsing through the source code, I came across a macro, > PEM_read_PrivateKey in crypto/pem/pem.h which actually access the > private key. > > The current definition of the macro in 0.9.8b is > > #define PEM_read_PrivateKey(fp,x,cb,u) (EVP_PKEY *)PEM_ASN1_read( \ > (char *(*)())d2i_PrivateKey,PEM_STRING_EVP_PKEY,fp,(char **)x,cb,u) > > I am planning to change this macro to call my proxy which will inturn > call PEM_ASN1_read. > Is this the right way to solve the problem? I only started looking at > the codebase today, so please go soft in this noob :). > > 4) Openssl not having its own datastore all the more confuses me > because, then it should have some mechanism to talk to the windows > certificate store already, which seems not to be the case. > > 5) A few pointers on where to start looking would be immensely helpful. > > Thanks in advance, > -Suman > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
