>> On Sun, Aug 03, 2014, Vladimir Simonov wrote: >> >>> Hi all, >>> >>> I'm trying to use openssl command line utility to sign data file with >>> key located in Windows Certificates Store. >>> I generated 1024 bit dsa private key and certificate. Converted them >>> to >>> pkcs12 format and imported the certificate into WCS. >>> openssl dsaparam -rand $ssl_sign_program -C -out $ssl_dsa_param 1024 >>> openssl req -x509 -extensions v3_ca $passout_param -newkey >>> dsa:$ssl_dsa_param -keyout $ssl_dsa_priv_key -days 365 -batch -out >>> $ssl_dsa_cert >>> openssl pkcs12 -export -out $ssl_dsa_priv_key_pkcs12 -inkey >>> $ssl_dsa_priv_key -name "KeyPKCS12" -in $ssl_dsa_cert $passin_param >>> $passout_param >>> >>> I expected that below command will work openssl dgst -keyform ENGINE >>> -engine capi -sign Company -passin pass:123 -hex -out sig.txt -sha1 >>> data_file >>> >>> But it doesn't. >>> Because capi engine doesn't implement pkey_meths and digests. ..... >> You can test the key loading using the pkey utility: >> openssl pkey -engine capi -inform e -pubout -in DSA If this works it >> will output the public part of the key. >> The -passin argument isn't used by ENGINE based keys BTW.
> Steve, thank you for hints! > After your answer I've tried "OpenSSL 1.0.1h 5 Jun 2014", earlier I used " > OpenSSL 1.0.1e 11 Feb 2013". And now "openssl dgst -sign" works as expected > openssl dgst -keyform ENGINE -engine capi -sign > Company -hex -sha1 Makefile DSA-SHA1(Makefile)= > 302e0215009e06494518c8cbc4ae024e5a5e0641387e7717100215008fc4162abb6bf440d6b7d13b054a55f79ca58742 > > So now all is almost fine > openssl dgst -keyform ENGINE -engine capi -sign Company -out sig -sha1 > Makefile openssl dgst -keyform ENGINE -engine capi -prverify Company > -signature sig Makefile "Verified OK"! > > But one, probably, small thing > openssl dgst -keyform ENGINE -engine capi -verify Company -signature sig > Makefile reports "unable to load key file" > > If I extract public key > "openssl pkey -engine capi -inform e -pubout -in Company > pub_key" > result of > "openssl dgst -keyform ENGINE -engine capi -verify pub_key -signature sig > Makefile" > is the same -"unable to load key file" Steve, sorry. It is my fault openssl dgst -verify pub_key -signature sig Makefile Verified OK ! If I understand correct there is no way to verify signature by public key directly from store. But it is ok for me. Thank you again Vladimir ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
