Hi,
I am quite new to OpenSSL on Windows and I did some research on
the net to
solve my problem, but available knowledge seems to be limited.
I need to to develop TLS 1.2 application using OpenSSL 1.0.2 (FIPS
compliant version)
on Windows platform. I have requirement that it should get
certificates, keys and
CRLs from Windows cert store, and it should use TLS 1.2 EC-based
suites.
I have some knowledge about crypto, TLS and OpenSSL but Windows
integration is quite new for me.
Correct me if I am wrong, but as far as I know there are, at least
in theory, 2 ways
of doing this:
1) Get required cert/keys from Windows store using Windows API
(Crypto API or CNG ?)
and loat it to OpenSSL. I generated self signed certs/keys and
imported them into Windows MY store.
Getting certificates from there programmatically using WinAPI is
quite easy and works (CertFindCertificateInStore,
etc.),
but is it possible to retrieve also corresponding private keys ?
I see functions like CryptExportPKCS8Ex,
but it seems they are marked as deprecated.
Is there any working example of retrieving specific key using it
?
Or perhaps it would b e easier to use CNG API to do it ?
2) Using OpenSSL directly with CryptoAPI engine (capi).
Setting capi engine I was able to sign and verify signatures using
RSA certs/keys,
but it seems that CryptoAPI (and capi engine using it)
does not support EC.
I realize that part of these questions are more Windows-related,
but I think
problem of using OpenSSL for modern TLS communication using
Windows store should be
known and well researched, but relevant information on the net is
sparse.
Thanks a lot in advance for any help.
Best regards,
Pawel
