Hello OpenSSL developers,
I have submitted this patch to the openssl-users list before but I
realize developers are probably not following it that much.
While working on my thesis, I used the capi engine and realized that I
could not get a reference to a private key if it was stored inside the
CERT_SYSTEM_STORE_LOCAL_MACHINE store.
While the engine allows to set parameters for CertOpenStore() through
CAPI_CMD_STORE_FLAGS it does not allow to set flags for
CryptAcquireContext(). But according to microsofts documentation
(http://msdn.microsoft.com/en-us/library/windows/desktop/aa379886%28v=vs.85%29.aspx)
it is required to set dwFlags to
CRYPT_MACHINE_KEYSET if a private key should be loaded from there.
I wound up writing a very simple patch that may or may not suit your
requirements. I attached it to this mail in case you want to use it in
this way or have a start on fixing this.
I believe this is an issue as I could find no other way of getting it to
work and working with the user store went just fine. Additionally I did
of course have Administrator's rights when executing my program.
Right now, this patch simply checks if the
CERT_SYSTEM_STORE_LOCAL_MACHINE flag is set and sets dwFlags accordingly.
I would like to hear a developers opinion on this patch and whether you
will consider implementing a change here. Please note that I am not a
member of this list, so please respond to my mail address.
Regards,
Florian Rüchel
diff --git a/engines/e_capi.c b/engines/e_capi.c
index bfedde0..c1085b5 100644
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -1432,10 +1432,13 @@ static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE h
static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provname, DWORD ptype, DWORD keyspec)
{
CAPI_KEY *key;
+ DWORD dwFlags = 0;
key = OPENSSL_malloc(sizeof(CAPI_KEY));
CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n",
contname, provname, ptype);
- if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, 0))
+ if(ctx->store_flags & CERT_SYSTEM_STORE_LOCAL_MACHINE)
+ dwFlags = CRYPT_MACHINE_KEYSET;
+ if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, dwFlags))
{
CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
capi_addlasterror();
