Hello, This is nice, although I don't see any real use case for this engine, as you require the user to manually export information from CryptoAPI store into files before the engine could be used.
I think OpenSSL engine (generic) should allow to expose certificate store, this will allow engines such as this one or PKCS#11 to expose the complete object list and references. There is not much point in holding certificates in files while they exists in CryptoAPI or smartcard... And there is no point not to allow a program to enumerate available certificates an engine can provide. There is also an issue of resources prompt (passphrase, token) and a small issue of object serialization in engine interface. Am am afraid that as long as OpenSSL engine interface will remain so low-level developers will look into alternate solution. Best Regards, Alon Bar-Lev. On 6/29/07, Roumen Petrov via RT <[EMAIL PROTECTED]> wrote:
Please find attached file "openssl-mscrypto-20070625.tar.gz" with openssl engine that can use keys from windows key-store. The engine can work with external keys too. Source is for openssl version 0.9.8 and mingw build require openssl source with mingw patch for 0.9.8 from request #1552 ( see OpenSSL Request Tracer ). Directory "engines/" contain source code and in "test/" are batch files for test cases, environment and sample openssl config files for engine (openssl.cnf is for 0.9.7). Engine can be used in 0.9.7 but mscrypto_err.* should be recreated with corresponding util/mkerr.pl . Engine support only rsa key/certificates. You don't need to mark the private key as exportable when import PKCS#12(pfx) file. Engine can use certificates/keys stored on smart cards. Tests require private key, corresponding public key and certificate that match private key. Every test case is operation with engine and opposite operation without. Character "a" in test case is for with->without engine, "b" is for "without->with". Test case 1x is for "rsautl" encrypt->decrypt, 2x - "rsautl" sign->verify, 3x1 - dgst sign->verify with keys/certs form files and in 3x2 (dgst sign->verify) engine will use certificate from key-store. For test cases 3{a,b}2 certificate with matching private key should be loaded into key-store. In test cases 2{a,b} rsautl sign->verify should fail. This look like problem with implementation in used crypto provider. File env.bat set paths to openssl program and configuration, engine, key files, certificate "canonical name", etc. To run test you should set TEST in "do_test.bat" and to run it. Extension of openssl configuration file is cnf and by default is always hidden. Instruction for mingw build environment: Build command: $ make -f Makefile.mscrypto OPENSSLSRC=<path_to_openssl_source> Make sure that openssl is build and installed. To install: $ make -f Makefile.mscrypto install {INSTALLTOP=...} {INSTALL_PREFIX=..} , where INSTALLTOP and INSTALL_PREFIX are optional. Roumen
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]