RE: Using certificate and private key from Windows cert store with OpenSSL
Hi! I searched a bit around and came up with this. I used v1.0.0.5 OpenSSL Dlls, but if you compile 0.9 with engine enabled, it should work. function UsePKeyFromCapi(const ASSLCtx: PSSL_CTX; const ACert: PCCERT_CONTEXT): Boolean; var CapiEngine: PENGINE; EngStatus: Integer; ProvLen, ContNameLen: Integer; ProvInfo: ^CRYPT_KEY_PROV_INFO; ContName: PAnsiChar; LKey: PEVP_PKEY; begin f_ENGINE_load_builtin_engines; CapiEngine := f_ENGINE_by_id('dynamic'); Result := True; ContNameLen := 0; ProvLen := 0; ProvInfo := nil; ContName := nil; LKey := nil; try if CapiEngine nil then begin EngStatus := f_ENGINE_ctrl_cmd_string(CapiEngine, 'SO_PATH', '.\capi.dll', 0); if EngStatus 0 then EngStatus := f_ENGINE_ctrl_cmd_string(CapiEngine, 'LOAD', nil, 0); if EngStatus 0 then EngStatus := f_ENGINE_init(CapiEngine); if EngStatus 0 then f_ENGINE_register_all_complete; if (EngStatus 0) and CertGetCertificateContextProperty(ACert, CERT_KEY_PROV_INFO_PROP_ID, nil, @ProvLen) then begin ProvInfo := AllocMem(ProvLen); if CertGetCertificateContextProperty(ACert, CERT_KEY_PROV_INFO_PROP_ID, ProvInfo, @ProvLen) then begin ContNameLen := LocaleCharsFromUnicode(DefaultSystemCodePage, 0, ProvInfo^.pwszContainerName, -1, nil, 0, nil, nil); ContName := AllocMem(ContNameLen); LocaleCharsFromUnicode(DefaultSystemCodePage, 0, ProvInfo^.pwszContainerName, -1, ContName, ContNameLen, nil, nil) end; if f_ENGINE_ctrl_cmd_string(CapiEngine, 'lookup_method', '3', 0) 0 then begin LKey := f_ENGINE_load_private_key(CapiEngine, ContName, nil, nil); if SSL_CTX_use_PrivateKey(ASSLCtx, LKey) 0 then if SSL_CTX_check_private_key(ASSLCtx) 0 then Result := True; end; end; end; finally f_ENGINE_free(CapiEngine); if Assigned(ProvInfo) then FreeMem(ProvInfo); if Assigned(ContName) then FreeMem(ContName); if Assigned(LKey) then EVP_PKEY_free(LKey); end; end; -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Vladimir Belov Sent: Tuesday, November 01, 2011 7:26 PM To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL How to use some engine API in my program? What is the name of this some engine API or engine plug-in? Please, give a small example or where can I find documentation about this? Is any documentation on the openssl.org? -- From: Jakob Bohm Sent: Tuesday, November 01, 2011 8:04 PM To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL This option is for the OpenSSL API, and I sure hope it would work with all the supported Windows Compilers, so you can use it with the compiler needed by the rest of your project. Once compiled in, your code will need to use some engine API at your program startup to request use of that engine plug-in, after which you should be able to use the Windows Certificate store and contents directly. On 11/1/2011 4:03 PM, Vladimir Belov wrote: Thanks, I understood that 'enable-capieng' option is a standard option for Configure (enable/no). Is this option only for openssl.exe? How will openssl.exe use Windows CERT store? Automatically or there is a command of openssl.exe for this. I asked about OpenSSLAPI functions, that will let me to use Windows CERT store directly in my own program. Like X509_verify_cert for OpenSSL CERT Store. Or I must manually extract Certificate during handshake, transform it(if necessary) and give it to WinAPI functions to next verifications of certificate with CryptoAPI? - - - From: Sergio NNX Sent: Monday, October 31, 2011 11:12 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao. I use MinGW to build OpenSSL and it has always worked very well. Steps: a) perl Configure mingw shared enable-capieng --prefix=/mingw --openssldir=C:/OpenSSL b) make After a while, you'll have openssl.exe and a couple of DLLs. At this stage, you'll be able to access Windows Certificate store. If you're using Windows boxes, I can send you my copy of OpenSSL for you to test. I hope it helps. Sergio. From: ml.vladimbe...@gmail.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL Date: Mon, 31 Oct 2011 21:40:44 +0400 Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link
Re: Using certificate and private key from Windows cert store with OpenSSL
Thanks, I understood that 'enable-capieng' option is a standard option for Configure (enable/no). Is this option only for openssl.exe? How will openssl.exe use Windows CERT store? Automatically or there is a command of openssl.exe for this. I asked about OpenSSLAPI functions, that will let me to use Windows CERT store directly in my own program. Like X509_verify_cert for OpenSSL CERT Store. Or I must manually extract Certificate during handshake, transform it(if necessary) and give it to WinAPI functions to next verifications of certificate with CryptoAPI? --- From: Sergio NNX Sent: Monday, October 31, 2011 11:12 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao. I use MinGW to build OpenSSL and it has always worked very well. Steps: a) perl Configure mingw shared enable-capieng --prefix=/mingw --openssldir=C:/OpenSSL b) make After a while, you'll have openssl.exe and a couple of DLLs. At this stage, you'll be able to access Windows Certificate store. If you're using Windows boxes, I can send you my copy of OpenSSL for you to test. I hope it helps. Sergio. From: ml.vladimbe...@gmail.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL Date: Mon, 31 Oct 2011 21:40:44 +0400 Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
This option is for the OpenSSL API, and I sure hope it would work with all the supported Windows Compilers, so you can use it with the compiler needed by the rest of your project. Once compiled in, your code will need to use some engine API at your program startup to request use of that engine plug-in, after which you should be able to use the Windows Certificate store and contents directly. On 11/1/2011 4:03 PM, Vladimir Belov wrote: Thanks, I understood that 'enable-capieng' option is a standard option for Configure (enable/no). Is this option only for openssl.exe? How will openssl.exe use Windows CERT store? Automatically or there is a command of openssl.exe for this. I asked about OpenSSLAPI functions, that will let me to use Windows CERT store directly in my own program. Like X509_verify_cert for OpenSSL CERT Store. Or I must manually extract Certificate during handshake, transform it(if necessary) and give it to WinAPI functions to next verifications of certificate with CryptoAPI? --- From: Sergio NNX Sent: Monday, October 31, 2011 11:12 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao. I use MinGW to build OpenSSL and it has always worked very well. Steps: a) perl Configure mingw shared enable-capieng --prefix=/mingw --openssldir=C:/OpenSSL b) make After a while, you'll have openssl.exe and a couple of DLLs. At this stage, you'll be able to access Windows Certificate store. If you're using Windows boxes, I can send you my copy of OpenSSL for you to test. I hope it helps. Sergio. From: ml.vladimbe...@gmail.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL Date: Mon, 31 Oct 2011 21:40:44 +0400 Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
How to use some engine API in my program? What is the name of this some engine API or engine plug-in? Please, give a small example or where can I find documentation about this? Is any documentation on the openssl.org? -- From: Jakob Bohm Sent: Tuesday, November 01, 2011 8:04 PM To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL This option is for the OpenSSL API, and I sure hope it would work with all the supported Windows Compilers, so you can use it with the compiler needed by the rest of your project. Once compiled in, your code will need to use some engine API at your program startup to request use of that engine plug-in, after which you should be able to use the Windows Certificate store and contents directly. On 11/1/2011 4:03 PM, Vladimir Belov wrote: Thanks, I understood that 'enable-capieng' option is a standard option for Configure (enable/no). Is this option only for openssl.exe? How will openssl.exe use Windows CERT store? Automatically or there is a command of openssl.exe for this. I asked about OpenSSLAPI functions, that will let me to use Windows CERT store directly in my own program. Like X509_verify_cert for OpenSSL CERT Store. Or I must manually extract Certificate during handshake, transform it(if necessary) and give it to WinAPI functions to next verifications of certificate with CryptoAPI? --- From: Sergio NNX Sent: Monday, October 31, 2011 11:12 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao. I use MinGW to build OpenSSL and it has always worked very well. Steps: a) perl Configure mingw shared enable-capieng --prefix=/mingw --openssldir=C:/OpenSSL b) make After a while, you'll have openssl.exe and a couple of DLLs. At this stage, you'll be able to access Windows Certificate store. If you're using Windows boxes, I can send you my copy of OpenSSL for you to test. I hope it helps. Sergio. From: ml.vladimbe...@gmail.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL Date: Mon, 31 Oct 2011 21:40:44 +0400 Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
I actually don't know, but try looking in the source code for the openssl.exe utility and look at what it does with the engine command line option. On 11/1/2011 6:26 PM, Vladimir Belov wrote: How to use some engine API in my program? What is the name of this some engine API or engine plug-in? Please, give a small example or where can I find documentation about this? Is any documentation on the openssl.org? -- From: Jakob Bohm Sent: Tuesday, November 01, 2011 8:04 PM To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL This option is for the OpenSSL API, and I sure hope it would work with all the supported Windows Compilers, so you can use it with the compiler needed by the rest of your project. Once compiled in, your code will need to use some engine API at your program startup to request use of that engine plug-in, after which you should be able to use the Windows Certificate store and contents directly. On 11/1/2011 4:03 PM, Vladimir Belov wrote: Thanks, I understood that 'enable-capieng' option is a standard option for Configure (enable/no). Is this option only for openssl.exe? How will openssl.exe use Windows CERT store? Automatically or there is a command of openssl.exe for this. I asked about OpenSSLAPI functions, that will let me to use Windows CERT store directly in my own program. Like X509_verify_cert for OpenSSL CERT Store. Or I must manually extract Certificate during handshake, transform it(if necessary) and give it to WinAPI functions to next verifications of certificate with CryptoAPI? --- From: Sergio NNX Sent: Monday, October 31, 2011 11:12 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao. I use MinGW to build OpenSSL and it has always worked very well. Steps: a) perl Configure mingw shared enable-capieng --prefix=/mingw --openssldir=C:/OpenSSL b) make After a while, you'll have openssl.exe and a couple of DLLs. At this stage, you'll be able to access Windows Certificate store. If you're using Windows boxes, I can send you my copy of OpenSSL for you to test. I hope it helps. Sergio. From: ml.vladimbe...@gmail.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL Date: Mon, 31 Oct 2011 21:40:44 +0400 Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
On Tue, Nov 01, 2011, Vladimir Belov wrote: How to use some engine API in my program? What is the name of this some engine API or engine plug-in? Please, give a small example or where can I find documentation about this? Is any documentation on the openssl.org? Note that the ENGINE API currently only accesses keys and not certificates. The CryptoAPI ENGINE can be used to redirect operations to private keys stored on Windows. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
Thanks for answer, Stephen. Does it mean that if I want to perform Certificate Verification with Windows CryptoAPI I must manually extract certificate from handshake procedure or get it through callback function, change its format (to be compatible with WinAPI functions) and give it to WinAPI functions for next verifications of certificate with Windows CryptoAPI? From: Dr. Stephen Henson Sent: Tuesday, November 01, 2011 10:45 PM To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL On Tue, Nov 01, 2011, Vladimir Belov wrote: How to use some engine API in my program? What is the name of this some engine API or engine plug-in? Please, give a small example or where can I find documentation about this? Is any documentation on the openssl.org? Note that the ENGINE API currently only accesses keys and not certificates. The CryptoAPI ENGINE can be used to redirect operations to private keys stored on Windows. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
Or you could use CryptoAPI functions to get the certificates (not private keys) from CryptoAPI and load them into OpenSSL. Note that while your original post used the historic CryptoAPI specific structures for bare RSA keys, which differ a lot from their OpenSSL counterparts, the CryptoAPI certificate functions (CertXxx) tend to provide and accept raw DER encoded certificate blobs, which can also be handled by OpenSSL. On 11/1/2011 8:13 PM, Vladimir Belov wrote: Thanks for answer, Stephen. Does it mean that if I want to perform Certificate Verification with Windows CryptoAPI I must manually extract certificate from handshake procedure or get it through callback function, change its format (to be compatible with WinAPI functions) and give it to WinAPI functions for next verifications of certificate with Windows CryptoAPI? From: Dr. Stephen Henson Sent: Tuesday, November 01, 2011 10:45 PM To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL On Tue, Nov 01, 2011, Vladimir Belov wrote: How to use some engine API in my program? What is the name of this some engine API or engine plug-in? Please, give a small example or where can I find documentation about this? Is any documentation on the openssl.org? Note that the ENGINE API currently only accesses keys and not certificates. The CryptoAPI ENGINE can be used to redirect operations to private keys stored on Windows. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Using certificate and private key from Windows cert store with OpenSSL
Duh... I was sure these were the needed parts. Now, I tried to call CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error, because the certificate was imported to store without Mark as Exportable option. But there has to be way to use certificate and private key somehow with OpenSSL? I'm really beginner with this certificate thing, maybe I just don't understand something? :) Simple, really: You have not set the private part of the private key (d, p, q, dmp1, dmq1, iqmp). You need to export the private key from CryptoAPI too, and convert that blob, not the public key blob. Alternatively, I have heard rumors of a CryptoAPI engine plug in for OpenSSL which will let OpenSSL directly use the keys and certificates stored by Windows. On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
In that case look for the CryptoAPI engine for openssl, not sure of its official name though. On 10/29/2011 8:21 AM, Andrejs Štrumfs wrote: Duh... I was sure these were the needed parts. Now, I tried to call CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error, because the certificate was imported to store without Mark as Exportable option. But there has to be way to use certificate and private key somehow with OpenSSL? I'm really beginner with this certificate thing, maybe I just don't understand something? :) Simple, really: You have not set the private part of the private key (d, p, q, dmp1, dmq1, iqmp). You need to export the private key from CryptoAPI too, and convert that blob, not the public key blob. Alternatively, I have heard rumors of a CryptoAPI engine plug in for OpenSSL which will let OpenSSL directly use the keys and certificates stored by Windows. On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Using certificate and private key from Windows cert store with OpenSSL
Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. Date: Mon, 31 Oct 2011 09:44:11 +0100 From: jb-open...@wisemo.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL In that case look for the CryptoAPI engine for openssl, not sure of its official name though. On 10/29/2011 8:21 AM, Andrejs Štrumfs wrote: Duh... I was sure these were the needed parts. Now, I tried to call CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error, because the certificate was imported to store without Mark as Exportable option. But there has to be way to use certificate and private key somehow with OpenSSL? I'm really beginner with this certificate thing, maybe I just don't understand something? :) Simple, really: You have not set the private part of the private key (d, p, q, dmp1, dmq1, iqmp). You need to export the private key from CryptoAPI too, and convert that blob, not the public key blob. Alternatively, I have heard rumors of a CryptoAPI engine plug in for OpenSSL which will let OpenSSL directly use the keys and certificates stored by Windows. On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
Thanks, that was the option I was just suggesting, but I could not remember the name. Thanks for finding the name for me, hope it helps the OP. On 10/31/2011 10:02 AM, Sergio NNX wrote: Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. Date: Mon, 31 Oct 2011 09:44:11 +0100 From: jb-open...@wisemo.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL In that case look for the CryptoAPI engine for openssl, not sure of its official name though. On 10/29/2011 8:21 AM, Andrejs Štrumfs wrote: Duh... I was sure these were the needed parts. Now, I tried to call CryptExportKey with PRIVATEKEYBLOB flag, and of course it returned error, because the certificate was imported to store without Mark as Exportable option. But there has to be way to use certificate and private key somehow with OpenSSL? I'm really beginner with this certificate thing, maybe I just don't understand something? :) Simple, really: You have not set the private part of the private key (d, p, q, dmp1, dmq1, iqmp). You need to export the private key from CryptoAPI too, and convert that blob, not the public key blob. Alternatively, I have heard rumors of a CryptoAPI engine plug in for OpenSSL which will let OpenSSL directly use the keys and certificates stored by Windows. On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Using certificate and private key from Windows cert store with OpenSSL
Ciao. I use MinGW to build OpenSSL and it has always worked very well. Steps: a) perl Configure mingw shared enable-capieng --prefix=/mingw --openssldir=C:/OpenSSL b) make After a while, you'll have openssl.exe and a couple of DLLs. At this stage, you'll be able to access Windows Certificate store. If you're using Windows boxes, I can send you my copy of OpenSSL for you to test. I hope it helps. Sergio. From: ml.vladimbe...@gmail.com To: openssl-users@openssl.org Subject: Re: Using certificate and private key from Windows cert store with OpenSSL Date: Mon, 31 Oct 2011 21:40:44 +0400 Sergio, how to set this option building OpenSSL? I didn't find any suggestions in documentation. And can you give a link to the documentation on the site openssl.org where there are functions of API to work with Windows CERT Stores? From: Sergio NNX Sent: Monday, October 31, 2011 1:02 PM To: openssl-users@openssl.org Subject: RE: Using certificate and private key from Windows cert store with OpenSSL Ciao Andrejs. I don't know much about the source code you posted previously but if you build OpenSSL with the 'enable-capieng' option you'll be able to access every single store and all the certs stored in Windows. I hope it helps. Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Using certificate and private key from Windows cert store with OpenSSL
Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs
Re: Using certificate and private key from Windows cert store with OpenSSL
Simple, really: You have not set the private part of the private key (d, p, q, dmp1, dmq1, iqmp). You need to export the private key from CryptoAPI too, and convert that blob, not the public key blob. Alternatively, I have heard rumors of a CryptoAPI engine plug in for OpenSSL which will let OpenSSL directly use the keys and certificates stored by Windows. On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote: Hi! I am trying to make a program, that uses some Web Services in Delphi XE. To connect to the Web Services, i have to use self signed (hope this is correct term) certificate, which is stored in Windows cert store. So, i open the cert store with CertOpenSystemStore, get cert with CertFindCertificateInStore and set it with SSL_CTX_use_certificate. No problem with this. Then i get the public key blob with CryptExportKey and make up a private key like this: function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY; var modulus: PByte; bh: PBLOBHEADER; rp: PRSAPUBKEY; rsa_modlen: DWORD; rsa_modulus: PAnsiChar; rkey: PRSA; begin bh := PBLOBHEADER(AKeyBlob); Assert(bh^.bType = PUBLICKEYBLOB); rp := PRSAPUBKEY(AKeyBlob + 8); Assert(rp.magic = $31415352); rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12); rkey := RSA_new_method(ASSLCtx.client_cert_engine); rkey^.References := 1; rkey^.e := BN_new; rkey^.n := BN_new; BN_set_word(rkey^.e, rp^.pubexp); rsa_modlen := (rp^.bitlen div 8) + 1; modulus := AllocMem(rsa_modlen); CopyMemory(modulus, rsa_modulus, rsa_modlen); RevBuffer(modulus, rsa_modlen); BN_bin2bn(modulus, rsa_modlen, rkey^.n); Result := EVP_PKEY_new; EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey)); end; and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also, no problem so far. But then, when data transfer begins, i get access violation in libeay32.dll - Access violation at address 09881C5F in module 'libeay32.dll'. Read of address . If i load the key from .pem file, everything is fine. The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got the same error, just different address. Below is the RSA structure i get in PrivKeyBlob2RSA: pad0 version 0 meth $898030C engine nil n $A62D508 e $A62D4D8 d nil p nil q nil dmp1 nil dmq1 nil iqmp nil ex_data (nil, -1163005939 {$BAADF00D}) references 1 flags 6 _method_mod_n nil _method_mod_p nil _method_mod_q nil bignum_data nil {#0} blindingnil mt_blinding nil I checked the n and e bignums, and they are CORRECT, and everything else looks ok. The error happens when calling function ssl_read. I can't see what i am doing wrong, please help :) Thanks Andrejs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Private Key from Windows Cert Store
Fili, can you please share the snippet for this, I am still not able to get this to work. It keep on giving error. On Wed, Dec 8, 2010 at 9:57 AM, Fili, Tom tf...@agi.com wrote: Ok, I look to have got it working. Using SSL_CTX_set_default_verify_paths after registering the engine worked as desired. Also SSL_CTX_use_certificate_ASN1 with cbCertEncoded and pbCertEncoded from the CERT_CONTEXT seemed to work as well. Thanks for all your help. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 3:48 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id(capi) ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Private Key from Windows Cert Store
I am using the same method, i am not able to load private key. On Fri, Dec 3, 2010 at 2:47 PM, Fili, Tom tf...@agi.com wrote: Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id(capi) ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Ok, I look to have got it working. Using SSL_CTX_set_default_verify_paths after registering the engine worked as desired. Also SSL_CTX_use_certificate_ASN1 with cbCertEncoded and pbCertEncoded from the CERT_CONTEXT seemed to work as well. Thanks for all your help. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 3:48 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id(capi) ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, November 30, 2010 11:49 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Tue, Nov 30, 2010, Fili, Tom wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
_EVP_PKEY_free referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_assign referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_new referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _BN_bin2bn referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_set_ex_data referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_new_method referenced in function _ibm_4758_load_privkey out32dll.dbg\4758cca.dll : fatal error LNK1120: 43 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN \link.EXE' : return code '0x460' Stop. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 12:01 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, November 30, 2010 11:49 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Tue, Nov 30, 2010, Fili, Tom wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Private Key from Windows Cert Store
On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Private Key from Windows Cert Store
LNK2019: unresolved external symbol _DSO_load referenced in function _ibm_4758_cca_init e_4758cca.obj : error LNK2019: unresolved external symbol _BUF_strdup referenced in function _set_CCA4758_LIB_NAME e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_free referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_free referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_assign referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_new referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _BN_bin2bn referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_set_ex_data referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_new_method referenced in function _ibm_4758_load_privkey out32dll.dbg\4758cca.dll : fatal error LNK1120: 43 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN \link.EXE' : return code '0x460' Stop. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 12:01 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, November 30, 2010 11:49 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Tue, Nov 30, 2010, Fili, Tom wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id(capi) ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Stef Hoeben Sent: Sunday, November 28, 2010 12:58 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Hi Tom, here's the code of a little cmd line tool we use to test our CSPs. Cheers, Stef -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Fili, Tom Sent: zondag 28 november 2010 18:19 To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Is there a place that has some docs or examples of the capi API? I've looked around, but haven't found any good source for these. Tom Fili Software Engineer Analytical Graphics Inc. -Original Message- From: owner-openssl-us...@openssl.org on behalf of So Gerald Sent: Fri 11/26/2010 4:35 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY--- --. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc.
Re: Private Key from Windows Cert Store
Before you can use Engine_by_id, you need to call. ENGINE_load_builtin_engines(); I am also not able to use Private Key from Cert Store. Let me know incase you are able to do that. On Tue, Nov 30, 2010 at 9:16 AM, Fili, Tom tf...@agi.com wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [ mailto:owner-openssl-us...@openssl.org owner-openssl-us...@openssl.org] On Behalf Of Stef Hoeben Sent: Sunday, November 28, 2010 12:58 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Hi Tom, here's the code of a little cmd line tool we use to test our CSPs. Cheers, Stef -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-owner-openssl- us...@openssl.org] On Behalf Of Fili, Tom Sent: zondag 28 november 2010 18:19 To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Is there a place that has some docs or examples of the capi API? I've looked around, but haven't found any good source for these. Tom Fili Software Engineer Analytical Graphics Inc. -Original Message- From: owner-openssl-us...@openssl.org on behalf of So Gerald Sent: Fri 11/26/2010 4:35 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY--- --. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc.
Re: Private Key from Windows Cert Store
On Tue, Nov 30, 2010, Fili, Tom wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Is there a place that has some docs or examples of the capi API? I've looked around, but haven't found any good source for these. Tom Fili Software Engineer Analytical Graphics Inc. -Original Message- From: owner-openssl-us...@openssl.org on behalf of So Gerald Sent: Fri 11/26/2010 4:35 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY-. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc. winmail.dat
RE: Private Key from Windows Cert Store
Hi Tom, here's the code of a little cmd line tool we use to test our CSPs. Cheers, Stef -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Fili, Tom Sent: zondag 28 november 2010 18:19 To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Is there a place that has some docs or examples of the capi API? I've looked around, but haven't found any good source for these. Tom Fili Software Engineer Analytical Graphics Inc. -Original Message- From: owner-openssl-us...@openssl.org on behalf of So Gerald Sent: Fri 11/26/2010 4:35 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY--- --. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc. testcapi.c Description: testcapi.c
Re: Private Key from Windows Cert Store
I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY-. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc.
Private Key from Windows Cert Store
I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY-. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc.