Microsoft CryptoAPI and OpenSSL

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Microsoft CryptoAPI and OpenSSL

Han Jun Li
Hi,
        I have created a plugin for OpenSSL which reads a certificate through
Microsoft's CryptoAPI. The problem is that the private key is not returned
and I just have a handle to it.  During the handshake with a Java JSSE
client, I get an error of BAD_MAC.  If the certificate was stored as a PEM
file with the private key accessible, everything works ok.

        Does anyone have success using Java Client to talk to OpenSSL using a
CryptoAPI stored certificate?  Any help will be greatly appreciated!
        Thanks!

/han


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft CryptoAPI and OpenSSL

Anton D. Kachalov
CAPI uses PVK format for private keys. You can find out more information
here:
http://www.drh-consultancy.demon.co.uk/pvk.html
http://www.drh-consultancy.demon.co.uk/pkcs12faq.html

I modified original pvk program to proper work with CryptImportKey.
http://lrn.ru/~mouse/pvk-0.12-alt.tar.bz2
Run it as:
pvk -in private.pem -out private.pvk -topvk -nocrypt -keyonly
Last argument is my modification which creates proper PVK file to use it
with CryptImportKey.

On Sun, Dec 04, 2005 at 01:41:03AM -0500, Han Jun Li wrote:

> Hi,
> I have created a plugin for OpenSSL which reads a certificate
> through Microsoft's CryptoAPI. The problem is that the private key is not
> returned and I just have a handle to it.  During the handshake with a Java
> JSSE client, I get an error of BAD_MAC.  If the certificate was stored as a
> PEM file with the private key accessible, everything works ok.
>
> Does anyone have success using Java Client to talk to OpenSSL using
> a CryptoAPI stored certificate?  Any help will be greatly appreciated!
> Thanks!
>
> /han
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
--
mouse

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft CryptoAPI and OpenSSL

Dr. Stephen Henson
On Sun, Dec 04, 2005, Anton D. Kachalov wrote:

> CAPI uses PVK format for private keys. You can find out more information
> here:
> http://www.drh-consultancy.demon.co.uk/pvk.html
> http://www.drh-consultancy.demon.co.uk/pkcs12faq.html
>
>

The term "PVK" is normally used only for PVK files. The form used by CryptoAPI
CryptImporKey and CryptoExportKey is referred to as a PRIVATEKEYBLOB and
PUBLICKEYBLOB.

OpenSSL 0.9.9-dev can handle PVK, PRIVATEKEYBLOB and PUBLICKEYBLOB using the
'rsa' and 'dsa' tools. It includes some additional functionality and fixes not
present in my old pvk utilities.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft CryptoAPI and OpenSSL

Han Jun Li

Steve,
        Thanks for your comment.  I will take a look at OpenSSL 0.9.9-dev.  In the mean time, in the plug-in I wrote using OpenSSL 0.9.7i, I get a rsa_priv_dec call from OpenSSL when the Java client sends a change_cipher message.  If I call CryptoAPI to decode this data using the handle to private key, would that work properly?
        If that doesn't work, then the only option I have is to get the private key from a file and set it to OpenSSL during context init.  This is not very ideal since the key is in plain text and anyone could get a copy of it if they have access to the server.
        Please comment.  Thanks!

/han


At 11:07 AM 12/4/2005, you wrote:
On Sun, Dec 04, 2005, Anton D. Kachalov wrote:

> CAPI uses PVK format for private keys. You can find out more information
> here:
> http://www.drh-consultancy.demon.co.uk/pvk.html
> http://www.drh-consultancy.demon.co.uk/pkcs12faq.html
>
>

The term "PVK" is normally used only for PVK files. The form used by CryptoAPI
CryptImporKey and CryptoExportKey is referred to as a PRIVATEKEYBLOB and
PUBLICKEYBLOB.

OpenSSL 0.9.9-dev can handle PVK, PRIVATEKEYBLOB and PUBLICKEYBLOB using the
'rsa' and 'dsa' tools. It includes some additional functionality and fixes not
present in my old pvk utilities.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft CryptoAPI and OpenSSL

Dr. Stephen Henson
On Sun, Dec 04, 2005, Han Jun Li wrote:

>
> Steve,
>         Thanks for your comment.  I will take a look at OpenSSL
> 0.9.9-dev.  In the mean time, in the plug-in I wrote using OpenSSL 0.9.7i,
> I get a rsa_priv_dec call from OpenSSL when the Java client sends a
> change_cipher message.  If I call CryptoAPI to decode this data using the
> handle to private key, would that work properly?
>

If this is during client authentication you should get a rsa_priv_enc call for
the signature operation.

However CryptoAPI doesn't have an equivalent call. Its better to use the
rsa_sign redirection instead because then you can process the passed digest
and use a few CryptoAPI calls to get the required response.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]