On 12/6/2012 9:13 AM, LN wrote:
Hi,
Somehow related to private keys but about loading them with CAPI
engine... Does someone know if the ENGINE_load_private_key() for CAPI
engine returns the PUBLIC KEY ?
I have a feeling it does so because I tried to save that returned
EVP_PKEY to a PEM file with PEM_write_bio_PrivateKey and then to load it
back from the same file with PEM_read_bio_PrivateKey.
Saving worked, but loading failed (with some decoding error inside
openss). The length of the base64 string in the PEM file for the key was
very small in comparision with what is usually the length for private keys.
PEM_write_bio_PUBKEY and PEM_read_bio_PUBKEY worked with the returned
EVP_PKEY.
Your are probably right. Microsoft CAPI essentially treats all its key
storages like physical smart cards, which means that by default, you
cannot extract the private key using any documented method (if at all),
but you (and thus the OpenSSL "CAPI Engine") can ask CAPI to use the key
to decrypt or sign something.
MS CAPI has an option to mark a private key as "exportable" when you
create or install it, which means that the private key can then be read
anyway, but I don't know if that feature is used by the OpenSSL "CAPI
Engine". It is almost always a good idea NOT to mark private keys as
exportable. Note that whatever is decided when the private key is first
stored by CAPI will be permanent (There is a 3 step workaround for
making an exportable key non-exportable, but any ability to go the
other way would compromise security just by being possible).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
