On Sun, Aug 03, 2014, Vladimir Simonov wrote: > Hi all, > > I'm trying to use openssl command line utility to sign data file > with key located in Windows Certificates Store. > I generated 1024 bit dsa private key and certificate. Converted them to > pkcs12 format and imported the certificate into WCS. > openssl dsaparam -rand $ssl_sign_program -C -out $ssl_dsa_param 1024 > openssl req -x509 -extensions v3_ca $passout_param -newkey > dsa:$ssl_dsa_param -keyout $ssl_dsa_priv_key -days 365 -batch -out > $ssl_dsa_cert > openssl pkcs12 -export -out $ssl_dsa_priv_key_pkcs12 -inkey > $ssl_dsa_priv_key -name "KeyPKCS12" -in $ssl_dsa_cert $passin_param > $passout_param > > I expected that below command will work > openssl dgst -keyform ENGINE -engine capi -sign Company -passin pass:123 > -hex -out sig.txt -sha1 data_file > > But it doesn't. > Because capi engine doesn't implement pkey_meths and digests.
I'm not sure what you're doing wrong because I just tested using the CAPI ENGINE and DSA and it worked fine on OpenSSL 1.0.1i. By default you have to pass a string which appears in the certificate to the "sign" argument. So if the certificate has CN="My Test DSA Key" then "DSA" would work. Internally it uses CertFindCertificateInStore. You can test the key loading using the pkey utility: openssl pkey -engine capi -inform e -pubout -in DSA If this works it will output the public part of the key. The -passin argument isn't used by ENGINE based keys BTW. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
