On Thu, Aug 07, 2014, Vladimir Simonov wrote: > > >> On Sun, Aug 03, 2014, Vladimir Simonov wrote: > >> > >>> Hi all, > >>> > >>> I'm trying to use openssl command line utility to sign data file with > >>> key located in Windows Certificates Store. > >>> I generated 1024 bit dsa private key and certificate. Converted them > >>> to > >>> pkcs12 format and imported the certificate into WCS. > >>> openssl dsaparam -rand $ssl_sign_program -C -out $ssl_dsa_param 1024 > >>> openssl req -x509 -extensions v3_ca $passout_param -newkey > >>> dsa:$ssl_dsa_param -keyout $ssl_dsa_priv_key -days 365 -batch -out > >>> $ssl_dsa_cert > >>> openssl pkcs12 -export -out $ssl_dsa_priv_key_pkcs12 -inkey > >>> $ssl_dsa_priv_key -name "KeyPKCS12" -in $ssl_dsa_cert $passin_param > >>> $passout_param > >>> > >>> I expected that below command will work openssl dgst -keyform ENGINE > >>> -engine capi -sign Company -passin pass:123 -hex -out sig.txt -sha1 > >>> data_file > >>> > >>> But it doesn't. > >>> Because capi engine doesn't implement pkey_meths and digests. > ..... > >> You can test the key loading using the pkey utility: > >> openssl pkey -engine capi -inform e -pubout -in DSA If this works it > >> will output the public part of the key. > >> The -passin argument isn't used by ENGINE based keys BTW. > > > Steve, thank you for hints! > > After your answer I've tried "OpenSSL 1.0.1h 5 Jun 2014", earlier I used " > > OpenSSL 1.0.1e 11 Feb 2013". And now "openssl dgst -sign" works as expected > > openssl dgst -keyform ENGINE -engine capi -sign > > Company -hex -sha1 Makefile DSA-SHA1(Makefile)= > > 302e0215009e06494518c8cbc4ae024e5a5e0641387e7717100215008fc4162abb6bf440d6b7d13b054a55f79ca58742 > > > > So now all is almost fine > > openssl dgst -keyform ENGINE -engine capi -sign Company -out sig -sha1 > > Makefile openssl dgst -keyform ENGINE -engine capi -prverify Company > > -signature sig Makefile "Verified OK"! > > > > But one, probably, small thing > > openssl dgst -keyform ENGINE -engine capi -verify Company -signature sig > > Makefile reports "unable to load key file" > > > > If I extract public key > > "openssl pkey -engine capi -inform e -pubout -in Company > pub_key" > > result of > > "openssl dgst -keyform ENGINE -engine capi -verify pub_key -signature sig > > Makefile" > > is the same -"unable to load key file" > > Steve, sorry. It is my fault > openssl dgst -verify pub_key -signature sig Makefile > Verified OK ! > > If I understand correct there is no way to verify signature by public key > directly from store. > But it is ok for me. >
That's correct: at least on the command line. Usually there's no need to as the public key is, err public and you can use OpenSSL's own public key handling to verify signatures. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
