My mistake. I was looking at Common Name, Organization Unit Name, Organization Name. I can definitely see collisions with this approach.
If I want to make a more specific string to avoid any wrong certificates, what format should it be in for the capi engine to accept is. I've tried X509_NAME_oneline(X509_get_subject_name(m_pX509), buffer, sizeof(buffer)); But that doesn't work. Should it just be comma separated values or something like "SN=value,SN=value"? -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, September 26, 2013 2:08 PM To: openssl-users@openssl.org Subject: Re: CAPI and Private keys On Thu, Sep 26, 2013, Fili, Tom wrote: > Hmmm...ok. Is it possible that in some cases passing the subject to > ENGINE_load_private_key is the incorrect thing to do? > > What I'm doing seems pretty simple but in some cases I get key/value mismatch > errors. > > I get the PCCERT_CONTEXT from the windows certificate store. > > Then do the following to get the X509 structure and the private key > > PCCERT_CONTEXT context; > ... > const unsigned char *pData = context->pbCertEncoded; > X509* pX509 = d2i_X509(0, &pData, context->cbCertEncoded); // Get > Subject if (X509_NAME* subject = X509_get_subject_name(pX509)) > { > for(int nid=0;nid<3;++nid) > { > X509_NAME_get_text_by_NID(subject, NIDs[nid], buffer, > sizeof(buffer)); > if( buffer[0] != '\0' ) > { > m_subject = buffer; > break; > } > } > } > EVP_PKEY *pkey = ENGINE_load_private_key(e, m_subject, 0, 0); > > Then I set the context to use the certificates > > int errCode = SSL_CTX_use_certificate(context, pX509); errCode = > SSL_CTX_use_PrivateKey(context, pkey); > > I don't seem to have any idea how there can be a mismatch. > You don't indicate what the "NIDs" array is. It's possible that there are multiple certificates matching the values you look up and ENGINE_load_private_key() just finds the first one which may not be the one you want. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
