CAPI-Engine doc

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

CAPI-Engine doc

OpenSSL - User mailing list
Hi!

I'm trying to get a handle on the CAPI engine, because I need to have a
secure Keystore on Windows. Furthermore I need it to work with Qt's
QSslKey, which fortunately can be constructed by EVP_PKEY *.

So far so good. The key is found, but when I try to use it in a SSL
connection i get following error:

error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib

I use a current Windows 10. Do I need to use a different Algorithm in
order to work? Some googeling is indicating the provider might be wrong.


Regards,

Richard



I juse following code to load the key:

     ENGINE *engine = ENGINE_by_id("dynamic");
     assert(engine);
     ENGINE_ctrl_cmd_string(engine, "SO_PATH", "./capi.dll", 0);
     ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);

     assert(ENGINE_init(engine));
     assert(ENGINE_register_complete(engine));

     ERR_load_ENGINE_strings();

     assert(ENGINE_cmd_is_executable(engine, CAPI_CMD_DEBUG_LEVEL));
     assert(ENGINE_ctrl(engine, CAPI_CMD_DEBUG_LEVEL, 2, nullptr, nullptr));
     assert(ENGINE_ctrl(engine, CAPI_CMD_DEBUG_FILE, 0,
(void*)"C:\\Users\\user\\AppData\\Local\\Temp\\engine.txt", 0));
     EVP_PKEY *key = ENGINE_load_private_key(engine, "localhost", NULL,
NULL);
     if (!key)
     {
         cerr << "key is null";
         return {};
     }
     QSslKey ssl_key(static_cast<Qt::HANDLE>(key));

Trace Output is:

Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
Opening certificate store MY
capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C},
provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
Called CAPI_rsa_sign()


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CAPI-Engine doc

Selva Nair
On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
<[hidden email]> wrote:

>
> Hi!
>
> I'm trying to get a handle on the CAPI engine, because I need to have a
> secure Keystore on Windows. Furthermore I need it to work with Qt's
> QSslKey, which fortunately can be constructed by EVP_PKEY *.
>
> So far so good. The key is found, but when I try to use it in a SSL
> connection i get following error:
>
> error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
> error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib

Which version of OpenSSL?

> Trace Output is:
>
> Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
> Opening certificate store MY
> capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C},
> provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
> Called CAPI_rsa_sign()

This CSP cannot do SHA2 hashes so won't work unless you restrict
signature algorithms or set TLS version to 1.1. I believe OpenSSL
1.1.0 will try to load The ".. Enhanced RSA AES .. Provider" which
can handle SHA2 and may work. I say "may" because, if the key store is
a legacy hardware token, it also depends on signature algorithms supported
by the token and may be necessary to downgrade to TLS 1.1.

Selva
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CAPI-Engine doc

Michael Wojcik
In reply to this post by OpenSSL - User mailing list
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Richard Oehlinger via openssl-users
> Sent: Tuesday, October 23, 2018 10:38
>
> I'm trying to get a handle on the CAPI engine, because I need to have a
> secure Keystore on Windows. Furthermore I need it to work with Qt's
> QSslKey, which fortunately can be constructed by EVP_PKEY *.

What OpenSSL version are you using? Please remember to include this informtion in every question. (And, normally, we'd ask for the platform as well, but since CAPI is Windows-specific, we know that in this case.)

> So far so good. The key is found, but when I try to use it in a SSL
> connection i get following error:
>
> error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
> error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib
>
> I use a current Windows 10. Do I need to use a different Algorithm in
> order to work? Some googeling is indicating the provider might be wrong.

I haven't looked at the CAPI engine code since 1.0.1j. At that time, I needed CAPI support and discovered there were various issues with the extant CAPI code, so I forked and rewrote it. That was some time back, obviously, and I'm afraid I never got around to pushing the changes back to openssl.org. (In fact, it was sufficiently long ago that I believe the organization was still reluctant to take contributions from people in the US at the time.)

The biggest issue was with provider handling. CAPI is something of a braindead API in many ways - Microsoft's replacement, CNG, is somewhat better - and the provider stuff is one of them. When a key (including a "key" which is actually just a reference to a key contained in an HSM) is imported into one of the Windows key stores, it has to be associated with a provider, and that provider has to accommodate that type and size of key; otherwise the key is unusable. Then, when you try to use the key in CAPI, you have to specify the same provider - CAPI isn't smart enough to figure it out on its own.

So my version of the CAPI engine has code to look up the key's provider and silently correct the provider type information in the engine's context structure if it's a mismatch.

Beyond that, it appears that my changes included:

- Support for building all the necessary functionality when using Microsoft Windows SDK 6.0A, which was one of my requirements at the time.

- Supporting hashes other than SHA-1 for DSA. We have US Federal customers who needed fairly comprehensive DSA support. For most people this is likely a non-issue.

- Forcing stack probes on for the callback functions, because my engine was being built outside the OpenSSL build process, but needed to match the calling convention of OpenSSL, which (at least in 1.0.1j) included stack-probe support.

- A fix suggested by Steven Henson years ago on the mailing list to capi_get_key, but never (at least by 1.0.1j) picked up in the source code: If CryptGetUserKey returns NTE_NO_KEY, xor keyspec with 3 to flip the key type and try CryptGetUesrKey again.

I think that's it, though it's possible I tweaked some other things and didn't call them out in the comments.

I suppose I should check what the CAPI engine source looks like in 1.1.1, merge my changes in if feasible, and submit a PR. One of these days...

Really, though, what we need is a new engine written to use CNG rather than CAPI. Though that would have the disadvantage of not supporting ancient Windows OS and SDK versions which, while unsupported by Microsoft, are still used in far too many places.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CAPI-Engine doc

OpenSSL - User mailing list
In reply to this post by Selva Nair
On 23/10/2018 17:22, Selva Nair wrote:

> On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
> <[hidden email]> wrote:
>> Hi!
>>
>> I'm trying to get a handle on the CAPI engine, because I need to have a
>> secure Keystore on Windows. Furthermore I need it to work with Qt's
>> QSslKey, which fortunately can be constructed by EVP_PKEY *.
>>
>> So far so good. The key is found, but when I try to use it in a SSL
>> connection i get following error:
>>
>> error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
>> error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib
> Which version of OpenSSL?
>
>> Trace Output is:
>>
>> Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
>> Opening certificate store MY
>> capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C},
>> provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
>> Called CAPI_rsa_sign()
> This CSP cannot do SHA2 hashes so won't work unless you restrict
> signature algorithms or set TLS version to 1.1. I believe OpenSSL
> 1.1.0 will try to load The ".. Enhanced RSA AES .. Provider" which
> can handle SHA2 and may work. I say "may" because, if the key store is
> a legacy hardware token, it also depends on signature algorithms supported
> by the token and may be necessary to downgrade to TLS 1.1.
>
The above limitations are less severe in CNG ("CryptoAPI Next Generation")
on Windows 6.00 and later, where the old API and CSP names are actually
emulations on top of a new structure with much smaller "KSP" providers.
At the same time, the CNG emulation of the classic CryptoAPI functions
are limited to what was available in Windows 5.01 SP2 and 5.02 SP2, thus
much of the SHA-2 functionality is available only by calling the CNG
APIs directly on Windows >= 6.00, but the older APIs with a reference
to newer enum values introduced in Windows 5.01 SP3 or 5.02 SP2+Hotfix.

Put another way, Microsoft forked their crypto source tree sometime in
2004 or 2005, and anything added later was implemented differently in
the 5.0x and 6.0x code bases.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CAPI-Engine doc

OpenSSL - User mailing list
In reply to this post by Selva Nair
On 10/23/2018 05:22 PM, Selva Nair wrote:

> On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
> <[hidden email]> wrote:
>> Hi!
>>
>> I'm trying to get a handle on the CAPI engine, because I need to have a
>> secure Keystore on Windows. Furthermore I need it to work with Qt's
>> QSslKey, which fortunately can be constructed by EVP_PKEY *.
>>
>> So far so good. The key is found, but when I try to use it in a SSL
>> connection i get following error:
>>
>> error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
>> error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib
> Which version of OpenSSL?
I use 1.0.2p.

>
>> Trace Output is:
>>
>> Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
>> Opening certificate store MY
>> capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C},
>> provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
>> Called CAPI_rsa_sign()
> This CSP cannot do SHA2 hashes so won't work unless you restrict
> signature algorithms or set TLS version to 1.1. I believe OpenSSL
> 1.1.0 will try to load The ".. Enhanced RSA AES .. Provider" which
> can handle SHA2 and may work. I say "may" because, if the key store is
> a legacy hardware token, it also depends on signature algorithms supported
> by the token and may be necessary to downgrade to TLS 1.1.
>
> Selva
Yes this did the trick, when forced the TLS version 1.1 the key did work.
Unfortunately I've requirement of 1.2 on my project.
I managed to set the provider name from outside when using a different
lookup method:

     assert(ENGINE_ctrl(engine, CAPI_CMD_SET_CSP_TYPE, PROV_RSA_AES, 0, 0));
     assert(ENGINE_ctrl(engine, CAPI_CMD_SET_CSP_NAME, 0,
(void*)MS_ENH_RSA_AES_PROV, 0))
     assert(ENGINE_ctrl(engine, CAPI_CMD_LOOKUP_METHOD,
CAPI_LU_CONTNAME, 0,0));
     EVP_PKEY *key = ENGINE_load_private_key(engine,
"{4EBA52A8-AB4B-47DB-B777-2B26351F324C}", NULL, NULL);

Now I need to somehow lookup the key name myself, but at least it works
with TLS 1.2 now.

Thank you for all your help!
Regards,
Richard


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users