How to use CAPI engine in OpenSSL 1.0.0a

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use CAPI engine in OpenSSL 1.0.0a

Michal Trojnara

Guys,

I spent a day trying to load CAPI engine in OpenSSL 1.0.0a.

The error I received was:

C:\test>openssl engine -t dynamic -pre "SO_PATH:capieay32" -pre ID:capi
-pre LOAD
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:capieay32
[Success]: ID:capi
[Failure]: LOAD
5220:error:260B606D:engine routines:DYNAMIC_LOAD:init
failed:eng_dyn.c:521:
     [ unavailable ]

The same error is printed when a full path is specified.
For an incorrect file name it returned a different error:

C:\test>openssl engine -t dynamic -pre "SO_PATH:nonexisting" -pre ID:capi
-pre LOAD
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:nonexisting
[Success]: ID:capi
[Failure]: LOAD
4672:error:25078067:DSO support routines:WIN32_LOAD:could not load the
shared library:dso_win32.c:18
0:filename(nonexisting.dll)
4672:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:244:
4672:error:260B6084:engine routines:DYNAMIC_LOAD:dso not
found:eng_dyn.c:450:
     [ unavailable ]

Was anyone able to use CAPI in OpenSSL 1.0.0a?  I tried to find any
example in the Internet, but without any luck.

Best regards,
    Mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to use CAPI engine in OpenSSL 1.0.0a

Patrick Patterson-3
Hi Mickal:

The following is an extract from one of our How-To docs that we're about to release:

Install the Win32 OpenSSL standard Binary Package:

Create the following in C:\openssl-win32\bin\openssl.cnf

#
# OpenSSL example configuration file for definition of CAPI engine.
#
openssl_conf = openssl_init

[openssl_init]
oid_section = new_oids
engines = engine_section

[engine_section]
capi = capi_config

[capi_config]
engine_id = capi
dynamic_path = c:\\openssl-win32\\bin\\capi.dll
init=1

This sets up OpenSSL to be able to use the CAPI engine.

Confirm this is working by typing the following:

openssl engine -t -post list_csps

And you should see a list as follows:

Available CSPs:
0. Gemalto Classic Card CSP, type 1
1. Infineon SICRYPT Base Smart Card CSP, type 1
2. Microsoft Base Cryptographic Provider v1.0, type 1
3. Microsoft Base DSS and Diffie-Hellman Cryptographic Provider, type 13
4. Microsoft Base DSS Cryptographic Provider, type 3
5. Microsoft Base Smart Card Crypto Provider, type 1
6. Microsoft DH SChannel Cryptographic Provider, type 18
7. Microsoft Enhanced Cryptographic Provider v1.0, type 1
8. Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider, type 13
9. Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype), type 24
10. Microsoft Exchange Cryptographic Provider v1.0, type 5
11. Microsoft RSA SChannel Cryptographic Provider, type 12
12. Microsoft Strong Cryptographic Provider, type 1
13. Schlumberger Cryptographic Service Provider, type 1
[Success]: list_csps

From here, some interesting things to be able to do:

openssl engine -t -post list_options:35 -post list_certs

This will list all of the certs as well as information about their private keys (whether that certificate has a private key in the store associated with it).

Have fun!

Patrick.

On 2010-09-08, at 10:19 AM, Michal Trojnara wrote:

>
> Guys,
>
> I spent a day trying to load CAPI engine in OpenSSL 1.0.0a.
>
> The error I received was:
>
> C:\test>openssl engine -t dynamic -pre "SO_PATH:capieay32" -pre ID:capi
> -pre LOAD
> WARNING: can't open config file: /usr/local/ssl/openssl.cnf
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:capieay32
> [Success]: ID:capi
> [Failure]: LOAD
> 5220:error:260B606D:engine routines:DYNAMIC_LOAD:init
> failed:eng_dyn.c:521:
>     [ unavailable ]
>
> The same error is printed when a full path is specified.
> For an incorrect file name it returned a different error:
>
> C:\test>openssl engine -t dynamic -pre "SO_PATH:nonexisting" -pre ID:capi
> -pre LOAD
> WARNING: can't open config file: /usr/local/ssl/openssl.cnf
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:nonexisting
> [Success]: ID:capi
> [Failure]: LOAD
> 4672:error:25078067:DSO support routines:WIN32_LOAD:could not load the
> shared library:dso_win32.c:18
> 0:filename(nonexisting.dll)
> 4672:error:25070067:DSO support routines:DSO_load:could not load the
> shared library:dso_lib.c:244:
> 4672:error:260B6084:engine routines:DYNAMIC_LOAD:dso not
> found:eng_dyn.c:450:
>     [ unavailable ]
>
> Was anyone able to use CAPI in OpenSSL 1.0.0a?  I tried to find any
> example in the Internet, but without any luck.
>
> Best regards,
>    Mike
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca

tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to use CAPI engine in OpenSSL 1.0.0a

Michal Trojnara

Patrick Patterson wrote:
> openssl engine -t -post list_options:35 -post list_certs

Thank you very much for mentioning the "standard Binary Package".  The
following even works without a .cnf file:
C:\OpenSSL-Win32\bin>openssl engine -t dynamic -pre SO_PATH:capi -pre
ID:capi -pre LOAD -post list_options:35 -post list_certs

Unfortunately mingw build of engines seem to be broken.  I normally
cross-compile OpenSSL under Debian with:
./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared
zlib-dynamic && make

Unfortunately this simple option seems to produce unusable CAPI dll.  I
found the following references:
http://rt.openssl.org/Ticket/Display.html?id=1747
http://www.listware.net/201006/openssl-dev/11903-compiling-openssl-100a-using-mingw-my-notes.html

Was anyone able to get CAPI engine working using mingw compiler?

Best regards,
    Mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to use CAPI engine in OpenSSL 1.0.0a

ken@bitzermobile.com
In reply to this post by Patrick Patterson-3

This is good, how do I specify the "Local Computer" store and specify a
certificate I want to use, for example an ssl certificate in apache
Ken
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to use CAPI engine in OpenSSL 1.0.0a

ken@bitzermobile.com
openssl engine -t -post store_flags:1 -post list_certs capi

Ken Montagna wrote
This is good, how do I specify the "Local Computer" store and specify a
certificate I want to use, for example an ssl certificate in apache
Ken
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org