Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: openssl dgst and capi engine question
10 views
Skip to first unread message
Dr. Stephen Henson
Aug 7, 2014, 7:16:20 AM8/7/14
to
On Sun, Aug 03, 2014, Vladimir Simonov wrote:
> Hi all,
>
> I'm trying to use openssl command line utility to sign data file
> with key located in Windows Certificates Store.
> I generated 1024 bit dsa private key and certificate. Converted them to
> pkcs12 format and imported the certificate into WCS.
> openssl dsaparam -rand $ssl_sign_program -C -out $ssl_dsa_param 1024
> openssl req -x509 -extensions v3_ca $passout_param -newkey dsa:$ssl_dsa_param -keyout $ssl_dsa_priv_key -days 365 -batch -out $ssl_dsa_cert
> openssl pkcs12 -export -out $ssl_dsa_priv_key_pkcs12 -inkey $ssl_dsa_priv_key -name "KeyPKCS12" -in $ssl_dsa_cert $passin_param $passout_param
>
> I expected that below command will work
> openssl dgst -keyform ENGINE -engine capi -sign Company -passin pass:123 -hex -out sig.txt -sha1 data_file
>
> But it doesn't.
> Because capi engine doesn't implement pkey_meths and digests.
I'm not sure what you're doing wrong because I just tested using the CAPI
ENGINE and DSA and it worked fine on OpenSSL 1.0.1i. By default you have to
pass a string which appears in the certificate to the "sign" argument. So if
the certificate has CN="My Test DSA Key" then "DSA" would work. Internally it
uses CertFindCertificateInStore.
You can test the key loading using the pkey utility:
openssl pkey -engine capi -inform e -pubout -in DSA
If this works it will output the public part of the key.
The -passin argument isn't used by ENGINE based keys BTW.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
> Hi all,
>
> I'm trying to use openssl command line utility to sign data file
> with key located in Windows Certificates Store.
> I generated 1024 bit dsa private key and certificate. Converted them to
> pkcs12 format and imported the certificate into WCS.
> openssl dsaparam -rand $ssl_sign_program -C -out $ssl_dsa_param 1024
> openssl req -x509 -extensions v3_ca $passout_param -newkey dsa:$ssl_dsa_param -keyout $ssl_dsa_priv_key -days 365 -batch -out $ssl_dsa_cert
> openssl pkcs12 -export -out $ssl_dsa_priv_key_pkcs12 -inkey $ssl_dsa_priv_key -name "KeyPKCS12" -in $ssl_dsa_cert $passin_param $passout_param
>
> I expected that below command will work
> openssl dgst -keyform ENGINE -engine capi -sign Company -passin pass:123 -hex -out sig.txt -sha1 data_file
>
> But it doesn't.
> Because capi engine doesn't implement pkey_meths and digests.
I'm not sure what you're doing wrong because I just tested using the CAPI
ENGINE and DSA and it worked fine on OpenSSL 1.0.1i. By default you have to
pass a string which appears in the certificate to the "sign" argument. So if
the certificate has CN="My Test DSA Key" then "DSA" would work. Internally it
uses CertFindCertificateInStore.
You can test the key loading using the pkey utility:
openssl pkey -engine capi -inform e -pubout -in DSA
If this works it will output the public part of the key.
The -passin argument isn't used by ENGINE based keys BTW.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Vladimir Simonov
Aug 7, 2014, 9:02:37 AM8/7/14
to
-----Original Message-----
From: owner-ope...@openssl.org [mailto:owner-ope...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, August 07, 2014 3:16 PM
To: openss...@openssl.org
Subject: Re: openssl dgst and capi engine question
> On Sun, Aug 03, 2014, Vladimir Simonov wrote:
>
> > Hi all,
>>
>> I'm trying to use openssl command line utility to sign data file with
>> key located in Windows Certificates Store.
>> I generated 1024 bit dsa private key and certificate. Converted them
>> to
>> pkcs12 format and imported the certificate into WCS.
>> openssl dsaparam -rand $ssl_sign_program -C -out $ssl_dsa_param 1024
>> openssl req -x509 -extensions v3_ca $passout_param -newkey dsa:$ssl_dsa_param -keyout $ssl_dsa_priv_key -days 365 -batch -out $ssl_dsa_cert
>> openssl pkcs12 -export -out $ssl_dsa_priv_key_pkcs12 -inkey $ssl_dsa_priv_key -name "KeyPKCS12" -in $ssl_dsa_cert $passin_param $passout_param
>>
>> I expected that below command will work openssl dgst -keyform ENGINE
>> -engine capi -sign Company -passin pass:123 -hex -out sig.txt -sha1
>> data_file
>>
>> But it doesn't.
>> Because capi engine doesn't implement pkey_meths and digests.
.....
From: owner-ope...@openssl.org [mailto:owner-ope...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, August 07, 2014 3:16 PM
To: openss...@openssl.org
Subject: Re: openssl dgst and capi engine question
> On Sun, Aug 03, 2014, Vladimir Simonov wrote:
>
> > Hi all,
>>
>> I'm trying to use openssl command line utility to sign data file with
>> key located in Windows Certificates Store.
>> I generated 1024 bit dsa private key and certificate. Converted them
>> to
>> pkcs12 format and imported the certificate into WCS.
>> openssl dsaparam -rand $ssl_sign_program -C -out $ssl_dsa_param 1024
>> openssl req -x509 -extensions v3_ca $passout_param -newkey dsa:$ssl_dsa_param -keyout $ssl_dsa_priv_key -days 365 -batch -out $ssl_dsa_cert
>> openssl pkcs12 -export -out $ssl_dsa_priv_key_pkcs12 -inkey $ssl_dsa_priv_key -name "KeyPKCS12" -in $ssl_dsa_cert $passin_param $passout_param
>>
>> I expected that below command will work openssl dgst -keyform ENGINE
>> -engine capi -sign Company -passin pass:123 -hex -out sig.txt -sha1
>> data_file
>>
>> But it doesn't.
>> Because capi engine doesn't implement pkey_meths and digests.
> You can test the key loading using the pkey utility:
> openssl pkey -engine capi -inform e -pubout -in DSA
> If this works it will output the public part of the key.
> The -passin argument isn't used by ENGINE based keys BTW.
Steve, thank you for hints!
> openssl pkey -engine capi -inform e -pubout -in DSA
> If this works it will output the public part of the key.
> The -passin argument isn't used by ENGINE based keys BTW.
After your answer I've tried "OpenSSL 1.0.1h 5 Jun 2014",
earlier I used " OpenSSL 1.0.1e 11 Feb 2013". And now "openssl dgst -sign" works as expected
openssl dgst -keyform ENGINE -engine capi -sign Company -hex -sha1 Makefile
DSA-SHA1(Makefile)= 302e0215009e06494518c8cbc4ae024e5a5e0641387e7717100215008fc4162abb6bf440d6b7d13b054a55f79ca58742
So now all is almost fine
openssl dgst -keyform ENGINE -engine capi -sign Company -out sig -sha1 Makefile
openssl dgst -keyform ENGINE -engine capi -prverify Company -signature sig Makefile
"Verified OK"!
But one, probably, small thing
openssl dgst -keyform ENGINE -engine capi -verify Company -signature sig Makefile
reports "unable to load key file"
If I extract public key
"openssl pkey -engine capi -inform e -pubout -in Company > pub_key"
result of
"openssl dgst -keyform ENGINE -engine capi -verify pub_key -signature sig Makefile"
is the same -"unable to load key file"
Should it be possible to check signature using public key?
Thank you again
Vladimir
Vladimir Simonov
Aug 7, 2014, 9:45:20 AM8/7/14
to
openssl dgst -verify pub_key -signature sig Makefile
Verified OK !
If I understand correct there is no way to verify signature by public key directly from store.
But it is ok for me.
Dr. Stephen Henson
Aug 7, 2014, 3:50:41 PM8/7/14
to
the public key is, err public and you can use OpenSSL's own public key
handling to verify signatures.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
0 new messages