I think I'll probably have to jump off that bridge when I get to it, but to make progress I'm going to try to get something going in the interim. I think I'll post some code (I suspect that the padding provided by the capi encrypt/decrypt is somehow different than what openssl is doing - the ms docs are woefully inadequate) but if anyone has pointers on information on how to use the capi engine, I'd greatly appreciate it, thanks! ... N
--- Nou Dadoun ndad...@teradici.com 604-628-1215 -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: March 8, 2012 1:55 PM To: openssl-users@openssl.org Subject: Re: OpenSSL Windows CryptoAPI certificate and encrypt/decrypt interop On Thu, Mar 08, 2012, Nou Dadoun wrote: > Thanks for the response, I'm trying to allow end-users to use commercially > purchased certificates so I'd rather not make the assumption that the key is > exportable. > > Using the capi engine sounds like a viable alternative, but I've had trouble > tracking down details on how to use it. > > Unfortunately I have a few restrictions; we're fips-certified on openssl > 0.98n so that's the version I'm stuck with (without recertifying). I also > want to use the crypto api directly to tell it which certificate to load and > use (i.e. user configurable through a gpo setting) and then have the engine > use that certificate for the ssl handshake to the peer. > > I've read the O'Reilly section on Engines but it's pretty rudimentary and > doesn't touch the capi engine, do you have a pointer to any user > documentation that might have some examples on using the capi engine? > If you need all crypto to be FIPS compliant (for some value of compliant) that's a can of worms because the relevant CSPs might not be and you'd be mixing various cryptographic operations across boundaries. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
