Hmmm...ok. Is it possible that in some cases passing the subject to
ENGINE_load_private_key is the incorrect thing to do?
What I'm doing seems pretty simple but in some cases I get key/value mismatch
errors.
I get the PCCERT_CONTEXT from the windows certificate store.
Then do the following to get the X509 structure and the private key
PCCERT_CONTEXT context;
...
const unsigned char *pData = context->pbCertEncoded;
X509* pX509 = d2i_X509(0, &pData, context->cbCertEncoded);
// Get Subject
if (X509_NAME* subject = X509_get_subject_name(pX509))
{
for(int nid=0;nid<3;++nid)
{
X509_NAME_get_text_by_NID(subject, NIDs[nid], buffer,
sizeof(buffer));
if( buffer[0] != '\0' )
{
m_subject = buffer;
break;
}
}
}
EVP_PKEY *pkey = ENGINE_load_private_key(e, m_subject, 0, 0);
Then I set the context to use the certificates
int errCode = SSL_CTX_use_certificate(context, pX509);
errCode = SSL_CTX_use_PrivateKey(context, pkey);
I don't seem to have any idea how there can be a mismatch.
Thanks for all your help.
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, September 26, 2013 6:53 AM
To: openssl-users@openssl.org
Subject: Re: CAPI and Private keys
On Wed, Sep 25, 2013, Fili, Tom wrote:
> I'm using the capi API to access certificates in the Windows Cert
> Store. I'm using the following to get access to the private key
>
> EVP_PKEY *key = ENGINE_load_private_key(e, subject, 0, 0);
>
> This seems to work as far as I can tell. Even if the certificate requires a
> password the OS prompts the user for it before it allows access. I've
> recently run into some customers who don't get the dialog prompt and get a
> "key value mismatch" error when it appears to be calling
> SSL_CTX_use_PrivateKey. I don't have access to their machines, to do a full
> debug session.
>
> I'm wondering if there is something that affects whether Windows displays the
> prompts and if the correct way to do this would be to use
> SSL_CTX_set_default_passwd_cb or specify a UI_METHOD to
> ENGINE_load_private_key instead of depending on the OS for this.
>
> Does anyone have any experience in dealing with this?
>
The UI and password callback functions are not used with the CAPI ENGINE so
setting them will have no effect.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
