"MS capi" engine questions/proposals
Christof Pas
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Hello,
I use the "MS capi" engine to access windows store certificates and keys
from openSSL.
(And please, please: no windows/Linux discussion here).
While working with capi engine, I found some things I would like to discuss
here.
Please forgive me that I have more than one item to discuss:
*Question 1:* Maybe there is a *minor bug* in e_capi.c?? The constants for
lookup are off by one:
/* Substring of subject: uses "storename" */
#define CAPI_LU_SUBSTR 0
/* Friendly name: uses storename */
#define CAPI_LU_FNAME 1
/* Container name: uses cspname, keytype */
#define CAPI_LU_CONTNAME 2
The help text is better:
{CAPI_CMD_LOOKUP_METHOD,
"lookup_method",
"Set key lookup method (1=substring, 2=friendlyname, 3=container name)",
And the capi_ctrl() function rejects CAPI_LU_SUBSTR as it is "0":
case CAPI_CMD_LOOKUP_METHOD:
*if (i < 1 || i > 3)*
{
CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_INVALID_LOOKUP_METHOD);
return 0;
}
*Question 2:* By the way, I miss a *lookup by thumbprint*.
Finding certificates by substring is not always perfect.
(As a side effect it could help implementing a X509_LOOKUP).
Could we extend the lookup? Like this:
#define CAPI_LU_CONTNAME 3
*/* thumbprint (hash) search */*
*#define CAPI_LU_THUMB 4*
I could provide the implementation if an extension is agreed:
static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id,
HCERTSTORE hstore)
{
...
switch(ctx->lookup_method)
{
case CAPI_LU_SUBSTR:
return CertFindCertificateInStore(hstore,
X509_ASN_ENCODING, 0,
CERT_FIND_SUBJECT_STR_A, id, NULL);
case CAPI_LU_THUMB:
...
* return CertFindCertificateInStore(hstore,*
* X509_ASN_ENCODING, 0,*
* CERT_FIND_HASH, blobID, NULL);*
case CAPI_LU_FNAME:
*Question 3:* I miss a way to set the* ctx->client_store* name, its only
possible to set the servers ctx->storename.
The client_store is never set and remains always "My"
{CAPI_CMD_STORE_NAME,
"store_name",
"certificate store name, default \"MY\"",
ENGINE_CMD_FLAG_STRING},
Would an extension be wise? I would be happy with something like
*{CAPI_CMD_CLIENTSTORE_NAME,*
*"clientstore_name",*
*"client certificate store name, default \"MY\"",*
*ENGINE_CMD_FLAG_STRING},*
*Question 4:* I missed the implementation for
*ENGINE_load_public_key(),*the method is NULL.
There is already a much more complex ENGINE_load_private_key() method,
wouldn't be the corresponding public method be a nice feature?
I could help in writing the missing implementation.
This four things would make my application code a lot easier. What do you
think???
Best regards
Christof
--0016e6d99aaffd76e0046b0ac942
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote"><span lang=3D"EN">
<p>Hello,</p>
<div>I=A0use the "MS capi" engine to access windows store certifi=
cates and keys from openSSL.=A0</div>
<div>(And please, please: no windows/Linux discussion here).</div>
<div>=A0</div>
<div>While working with capi engine, I found some things I would like to di=
scuss here. </div>
<div>Please forgive me that I have more than one item to discuss:</div>
<p><strong>Question 1:</strong> Maybe there is a <strong>minor bug</strong>=
in e_capi.c?? The constants for lookup are off by one:</p>
<blockquote dir=3D"ltr" style=3D"MARGIN-RIGHT: 0px">
<div>/* Substring of subject: uses "storename" */</div>
<div>#define CAPI_LU_SUBSTR <font color=3D"#990000">0</font></div>
<div>/* Friendly name: uses storename */</div>
<div>#define CAPI_LU_FNAME<font color=3D"#cc0000"> 1</font></div>
<div>/* Container name: uses cspname, keytype */</div>
<div>#define CAPI_LU_CONTNAME<font color=3D"#cc0000"> 2</font></div></block=
quote>
<p>The help text is better:</p>
<blockquote dir=3D"ltr" style=3D"MARGIN-RIGHT: 0px">
<div>{CAPI_CMD_LOOKUP_METHOD,</div>
<div>"lookup_method",</div>
<div>"Set key lookup method (1=3Dsubstring, 2=3Dfriendlyname, 3=3Dcont=
ainer name)",</div></blockquote>
<div>=A0</div>
<div>And the capi_ctrl() function rejects CAPI_LU_SUBSTR as it is "0&q=
uot;:</div>
<div>=A0</div>
<div>case CAPI_CMD_LOOKUP_METHOD:</div>
<div>=A0=A0=A0=A0=A0=A0=A0=A0=A0 <strong>if (i < 1 || i > 3)</strong>=
</div>
<div>=A0=A0=A0=A0=A0=A0=A0=A0=A0 {</div>
<div>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 CAPIerr(CAPI_F_CAPI_CTRL, CAPI=
_R_INVALID_LOOKUP_METHOD);</div>
<div>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 return 0;</div>
<div>=A0=A0=A0=A0=A0=A0=A0=A0=A0 } </div>
<div>=A0</div>
<div>=A0</div>
<div>=A0</div>
<div><strong>Question 2:</strong>=A0 By the way, I miss a <strong>lookup by=
thumbprint</strong>. </div>
<div>=A0</div>
<div>Finding certificates by substring is not always perfect. </div>
<div>(As a side effect it could help implementing a X509_LOOKUP).</div>
<p>Could we extend the=A0lookup? Like this:=A0</p>
<blockquote dir=3D"ltr" style=3D"MARGIN-RIGHT: 0px">
<div>#define CAPI_LU_CONTNAME 3</div>
<div><strong><font color=3D"#009900">/* thumbprint (hash) search */</font><=
/strong></div>
<div><strong><font color=3D"#009900">#define CAPI_LU_THUMB 4</font></strong=
></div></blockquote>
<div>I could provide the implementation if an extension is agreed:</div>
<div>=A0</div>
<div>static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HC=
ERTSTORE hstore)</div>
<div>{</div>
<div>...</div>
<div>switch(ctx->lookup_method)</div>
<div>{</div>
<div>=A0=A0 case CAPI_LU_SUBSTR:</div>
<div>=A0=A0=A0=A0=A0 return CertFindCertificateInStore(hstore,</div>
<div>=A0=A0=A0=A0=A0=A0=A0=A0 X509_ASN_ENCODING, 0,</div>
<div>=A0=A0=A0=A0=A0=A0=A0=A0 CERT_FIND_SUBJECT_STR_A, id, NULL);</div>
<div>=A0=A0 case CAPI_LU_THUMB:</div>
<div>=A0=A0=A0=A0=A0 ...</div>
<div><strong><font color=3D"#009900">=A0=A0=A0=A0=A0 return CertFindCertifi=
cateInStore(hstore,</font></strong></div>
<div><strong><font color=3D"#009900">=A0=A0=A0=A0=A0=A0=A0=A0 X509_ASN_ENCO=
DING, 0,</font></strong></div>
<div><strong><font color=3D"#009900">=A0=A0=A0=A0=A0=A0=A0=A0 CERT_FIND_HAS=
H, blobID, NULL);</font></strong></div>
<div>=A0=A0 case CAPI_LU_FNAME:</div>
<div>=A0</div>
<div>=A0</div>
<div>=A0</div>
<div><strong>Question 3:</strong>=A0 I miss a way to set the<strong> ctx-&g=
t;client_store</strong> name, its only possible to set the servers ctx->=
storename. </div>
<div>The client_store is never set and=A0remains always "My"</div=
>
<blockquote dir=3D"ltr" style=3D"MARGIN-RIGHT: 0px">
<div>{CAPI_CMD_STORE_NAME,</div>
<div>"store_name",</div>
<div>"certificate store name, default \"MY\"",</div>
<div>ENGINE_CMD_FLAG_STRING},</div></blockquote>
<p>Would an extension be wise? I would be happy with something like </p>
<blockquote dir=3D"ltr" style=3D"MARGIN-RIGHT: 0px">
<div><strong><font color=3D"#009900">{CAPI_CMD_CLIENTSTORE_NAME,</font></st=
rong></div>
<div><strong><font color=3D"#009900">"clientstore_name",</font></=
strong></div>
<div><strong><font color=3D"#009900">"client certificate store name, d=
efault \"MY\"",</font></strong></div>
<div><strong><font color=3D"#009900">ENGINE_CMD_FLAG_STRING},</font></stron=
g></div></blockquote>
<div>=A0</div>
<div>=A0</div>
<div><strong>Question 4:</strong>=A0 I missed the implementation for <stron=
g>ENGINE_load_public_key(),</strong> the method is NULL.</div>
<p>There is already a much more complex ENGINE_load_private_key() method, w=
ouldn't be the corresponding public method be a nice feature?</p>
<p>I could help in writing the missing implementation.</p>
<p>This four things would make my application code a lot easier. What do yo=
u think???</p>
<p>Best regards</p>
<p>Christof</p></span></div><br>
--0016e6d99aaffd76e0046b0ac942--
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
Christof Pas
--0016e6db6c09109afd046b0a32ed
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<span lang=3D"EN">
<p>=A0</p>
<p>This four things would make my application code a lot easier. What do yo=
u think? </p>
<p>=A0</p></span>
--0016e6db6c09109afd046b0a32ed--