SSL Connection, Windows Certificate Store and CAPI engine - McMap

About

SSL Connection, Windows Certificate Store and CAPI engine

Asked 31/12, 2015 at 17:49 Answered 31/12, 2015 at 17:49

ssl openssl private-key cryptoapi certificate-store

P

0

4

I am creating an SSL connection using OpenSSL API. As we know in a SSL handshake, series of Certificate Authentication occurs for Server or Client. Now for client certificate authentication, the client's certificate and associated private key are stored in Windows Certificate Store.

This certificate with private key is imported into the store after combining them into a pfx format and then that pfx file is imported to the windows Cert store. Now while importing this pfx file using mmc snap-in it asks whether we want to make the private key exportable or not. Now OpenSSL comes into picture for making SSL connection.

For that we have to create SSL_CTX object in which all the connection related properties are loaded. Now for loading private key from windows certificate store into SSL_CTX object, i have marked that private key exportable that i am exporting the key using Crypto API. But I think marking a private key exportable does not make any sense, it's a security breach.

Since private key will always be marked Non-Exportable so, is there any method or API of OpenSSL, etc that can directly read and load private key from windows cert store into SST_CTX object for making a SSL connection.

I know definitely there is some way for this to work but i am not getting it. I have searched a lot for this but not got the required thing.

Summarized Question: The Certificate Store holds many certificates and associated private keys. How are the certificates and private keys accessed when making an SSL connection ?

EDIT : I have gone through an openssl engine API called

 `EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
      UI_METHOD *ui_method, void *callback_data);`

Now how can i get this key_id of the private key and also i think this api internally called crypto api CryptExportKey and this api fails if private key is marked non-exportable.

Phonate answered 31/12, 2015 at 17:49 Comment(12)

See Using Windows certificate store through OpenSSL on the OpenSSL mailing list. Stack Overflow could probably use a good example of doing it (I'm not aware that one exists). – Centner 1/1, 2016 at 4:1

@Centner Thanks for the link you provided. It was a bit helpful. But the problem here is to use Private Key from within the Store without actually exporting it for making an SSL connection. – Phonate 1/1, 2016 at 6:59

The CAPI engine is supposed to use CAPI to perform the private key operations so export is not needed. It does not matter where you use it - Signing, Verification, SSL connection, etc. If you want to export the private key (<insert reason here>), then that's a slightly different problem. – Centner 1/1, 2016 at 7:8

I don't remember by heart, but if I remember correctly (been some time since I played with that) you can create a certificate engine (its a windows object) that verifies the certificates automatically for you. – Zajac 1/1, 2016 at 19:57

@Zajac thanks for your concern. But actually the problem i am facing is with private key. The Private Key is present in windows store(marked as non-exportable). Now for creating an SSL session i need to load this private key into ssl object using SSL_CTX_use_PrivateKey api of openssl. – Phonate 2/1, 2016 at 16:33

@Centner :- i have gone through capi engine api's. Firstly for making SSL connection using openssl, we have to load private key into ssl_ctx object for that SSL_CTX_use_PrivateKey (openssl api ) is called. Now for this capi engine provides an api capi_load_privkey' that internally exports the public key` not the private key. I don't find any other capi engine api that allows us to use private key from store itself w/o actually exporting it. – Phonate 2/1, 2016 at 16:43

I don't know if openssl can work directly with Windows store in that manner. – Zajac 2/1, 2016 at 16:49

This looks relevant: Attach an ENGINE context to a SSL_CTX. Unfortunately, no useful answers. Here's something similar with answers: How to generate certificate if private key is in HSM? But it misses your mark. – Centner 2/1, 2016 at 17:1

@Centner Does that mean i am going in the wrong direction for achieving what i want ? – Phonate 2/1, 2016 at 17:15

@Phonate - here is the discussion thread you are looking for: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine. Tehy even discuss MS-CAPI. Pay attention to Dr. Henson's answer. He is one of the OpenSSL devs. Jakob also has good information, but I tend to gravitate towards an OpenSSL dev's answer. – Centner 3/1, 2016 at 14:11

@Centner Thanks, the link is indeed very helpfull. But still the problem persist because in that discussion, they are trying to load i.e export private key from windows store, but it is not possible since the private key is marked as NON-EXPORTABLE. So question again loops back asks "how to use non-exportable private key from windows cert store itself (without exporting ) in client authentication ?" – Phonate 10/1, 2016 at 17:51

The .net tls equivalents that I have used to OpenSSL (HTTPClient and Tcpclient+Sslstream) seem to access non exportable private keys only indirectly. You tell the API how to find the keys you want via a query and you get a certificate collection object back but I think it only has a handle to the private keys, not the private keys themselves. Which seems to indicate that the API does what TLS needs it to do internally and hides everything behind a layer of abstraction. So... OpenSSL integration at the level you need doesn't seem to practical to me. – Thibodeaux 5/11, 2017 at 21:46

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2025 — McMap. All rights reserved.