So the string that the capi engine needs is a comma separated string of the entry values like what is returned by CertNameToStr with CERT_SIMPLE_NAME_STR type.
The only problem the I seem to run into is when dealing with extended characters. CertNameToStr seems to output a correct looking string but the values I get from ASN1_STRING_data( X509_NAME_ENTRY_get_data(subject)), doesn't seem to display the characters correctly. The extended characters seem to come in as 2 character. This is probably and encoding issue so I tried using ASN1_STRING_to_UTF8 with no luck. Any ideas of what the difference may be? -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, September 27, 2013 2:14 PM To: openssl-users@openssl.org Subject: RE: CAPI and Private keys My mistake. I was looking at Common Name, Organization Unit Name, Organization Name. I can definitely see collisions with this approach. If I want to make a more specific string to avoid any wrong certificates, what format should it be in for the capi engine to accept is. I've tried X509_NAME_oneline(X509_get_subject_name(m_pX509), buffer, sizeof(buffer)); But that doesn't work. Should it just be comma separated values or something like "SN=value,SN=value"? -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, September 26, 2013 2:08 PM To: openssl-users@openssl.org Subject: Re: CAPI and Private keys On Thu, Sep 26, 2013, Fili, Tom wrote: > Hmmm...ok. Is it possible that in some cases passing the subject to > ENGINE_load_private_key is the incorrect thing to do? > > What I'm doing seems pretty simple but in some cases I get key/value mismatch > errors. > > I get the PCCERT_CONTEXT from the windows certificate store. > > Then do the following to get the X509 structure and the private key > > PCCERT_CONTEXT context; > ... > const unsigned char *pData = context->pbCertEncoded; > X509* pX509 = d2i_X509(0, &pData, context->cbCertEncoded); // Get > Subject if (X509_NAME* subject = X509_get_subject_name(pX509)) > { > for(int nid=0;nid<3;++nid) > { > X509_NAME_get_text_by_NID(subject, NIDs[nid], buffer, > sizeof(buffer)); > if( buffer[0] != '\0' ) > { > m_subject = buffer; > break; > } > } > } > EVP_PKEY *pkey = ENGINE_load_private_key(e, m_subject, 0, 0); > > Then I set the context to use the certificates > > int errCode = SSL_CTX_use_certificate(context, pX509); errCode = > SSL_CTX_use_PrivateKey(context, pkey); > > I don't seem to have any idea how there can be a mismatch. > You don't indicate what the "NIDs" array is. It's possible that there are multiple certificates matching the values you look up and ENGINE_load_private_key() just finds the first one which may not be the one you want. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
