On 23/10/2018 17:22, Selva Nair wrote:
On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
<openssl-users@xxxxxxxxxxx> wrote:
Hi!
I'm trying to get a handle on the CAPI engine, because I need to have a
secure Keystore on Windows. Furthermore I need it to work with Qt's
QSslKey, which fortunately can be constructed by EVP_PKEY *.
So far so good. The key is found, but when I try to use it in a SSL
connection i get following error:
error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib
Which version of OpenSSL?
Trace Output is:
Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
Opening certificate store MY
capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C},
provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
Called CAPI_rsa_sign()
This CSP cannot do SHA2 hashes so won't work unless you restrict
signature algorithms or set TLS version to 1.1. I believe OpenSSL
1.1.0 will try to load The ".. Enhanced RSA AES .. Provider" which
can handle SHA2 and may work. I say "may" because, if the key store is
a legacy hardware token, it also depends on signature algorithms supported
by the token and may be necessary to downgrade to TLS 1.1.
The above limitations are less severe in CNG ("CryptoAPI Next Generation")
on Windows 6.00 and later, where the old API and CSP names are actually
emulations on top of a new structure with much smaller "KSP" providers.
At the same time, the CNG emulation of the classic CryptoAPI functions
are limited to what was available in Windows 5.01 SP2 and 5.02 SP2, thus
much of the SHA-2 functionality is available only by calling the CNG
APIs directly on Windows >= 6.00, but the older APIs with a reference
to newer enum values introduced in Windows 5.01 SP3 or 5.02 SP2+Hotfix.
Put another way, Microsoft forked their crypto source tree sometime in
2004 or 2005, and anything added later was implemented differently in
the 5.0x and 6.0x code bases.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users