Hello,
This is nice, although I don't see any real use case for this engine,
as you require the user to manually export information from CryptoAPI
store into files before the engine could be used.
I think OpenSSL engine (generic) should allow to expose certificate
store, this will allow engines such as this one or PKCS#11 to expose
the complete object list and references.
There is not much point in holding certificates in files while they
exists in CryptoAPI or smartcard... And there is no point not to allow
a program to enumerate available certificates an engine can provide.
There is also an issue of resources prompt (passphrase, token) and a
small issue of object serialization in engine interface.
Am am afraid that as long as OpenSSL engine interface will remain so
low-level developers will look into alternate solution.
Best Regards,
Alon Bar-Lev.
On 6/29/07, Roumen Petrov via RT <[EMAIL PROTECTED]> wrote:
Please find attached file "openssl-mscrypto-20070625.tar.gz" with
openssl engine that can use keys from windows key-store. The engine can
work with external keys too.
Source is for openssl version 0.9.8 and mingw build require openssl
source with mingw patch for 0.9.8 from request #1552 ( see OpenSSL
Request Tracer ).
Directory "engines/" contain source code and in "test/" are batch files
for test cases, environment and sample openssl config files for engine
(openssl.cnf is for 0.9.7). Engine can be used in 0.9.7 but
mscrypto_err.* should be recreated with corresponding util/mkerr.pl .
Engine support only rsa key/certificates. You don't need to mark the
private key as exportable when import PKCS#12(pfx) file. Engine can use
certificates/keys stored on smart cards.
Tests require private key, corresponding public key and certificate that
match private key. Every test case
is operation with engine and opposite operation without. Character "a"
in test case is for with->without engine, "b" is for "without->with".
Test case 1x is for "rsautl" encrypt->decrypt, 2x - "rsautl"
sign->verify, 3x1 - dgst sign->verify with keys/certs form files and in
3x2 (dgst sign->verify) engine will use certificate from key-store. For
test cases 3{a,b}2 certificate with matching private key should be
loaded into key-store.
In test cases 2{a,b} rsautl sign->verify should fail. This look like
problem with implementation in used crypto provider.
File env.bat set paths to openssl program and configuration, engine, key
files, certificate "canonical name", etc. To run test you should set
TEST in "do_test.bat" and to run it.
Extension of openssl configuration file is cnf and by default is always
hidden.
Instruction for mingw build environment:
Build command:
$ make -f Makefile.mscrypto OPENSSLSRC=<path_to_openssl_source>
Make sure that openssl is build and installed.
To install:
$ make -f Makefile.mscrypto install {INSTALLTOP=...} {INSTALL_PREFIX=..}
, where INSTALLTOP and INSTALL_PREFIX are optional.
Roumen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
