"MS capi" engine questions/proposals

Sun, 31 May 2009 05:42:42 -0700 

Hello,
I use the "MS capi" engine to access windows store certificates and keys
from openSSL.
(And please, please: no windows/Linux discussion here).

While working with capi engine, I found some things I would like to discuss
here.
Please forgive me that I have more than one item to discuss:

*Question 1:* Maybe there is a *minor bug* in e_capi.c?? The constants for
lookup are off by one:

/* Substring of subject: uses "storename" */
#define CAPI_LU_SUBSTR 0
/* Friendly name: uses storename */
#define CAPI_LU_FNAME 1
/* Container name: uses cspname, keytype */
#define CAPI_LU_CONTNAME 2

The help text is better:

{CAPI_CMD_LOOKUP_METHOD,
"lookup_method",
"Set key lookup method (1=substring, 2=friendlyname, 3=container name)",


And the capi_ctrl() function rejects CAPI_LU_SUBSTR as it is "0":

case CAPI_CMD_LOOKUP_METHOD:
          *if (i < 1 || i > 3)*
          {
              CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_INVALID_LOOKUP_METHOD);
              return 0;
          }



*Question 2:*  By the way, I miss a *lookup by thumbprint*.

Finding certificates by substring is not always perfect.
(As a side effect it could help implementing a X509_LOOKUP).

Could we extend the lookup? Like this:

#define CAPI_LU_CONTNAME 3
*/* thumbprint (hash) search */*
*#define CAPI_LU_THUMB 4*

I could provide the implementation if an extension is agreed:

static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id,
HCERTSTORE hstore)
{
...
switch(ctx->lookup_method)
{
   case CAPI_LU_SUBSTR:
      return CertFindCertificateInStore(hstore,
         X509_ASN_ENCODING, 0,
         CERT_FIND_SUBJECT_STR_A, id, NULL);
   case CAPI_LU_THUMB:
      ...
*      return CertFindCertificateInStore(hstore,*
*         X509_ASN_ENCODING, 0,*
*         CERT_FIND_HASH, blobID, NULL);*
   case CAPI_LU_FNAME:



*Question 3:*  I miss a way to set the* ctx->client_store* name, its only
possible to set the servers ctx->storename.
The client_store is never set and remains always "My"

{CAPI_CMD_STORE_NAME,
"store_name",
"certificate store name, default \"MY\"",
ENGINE_CMD_FLAG_STRING},

Would an extension be wise? I would be happy with something like

*{CAPI_CMD_CLIENTSTORE_NAME,*
*"clientstore_name",*
*"client certificate store name, default \"MY\"",*
*ENGINE_CMD_FLAG_STRING},*



*Question 4:*  I missed the implementation for
*ENGINE_load_public_key(),*the method is NULL.

There is already a much more complex ENGINE_load_private_key() method,
wouldn't be the corresponding public method be a nice feature?

I could help in writing the missing implementation.



This four things would make my application code a lot easier. What do you
think?

Reply via email to