levitte
commented
1 year ago I'm noticing that the key in question is locked... not sure how this works, but could that be a problem?
Open Akretsch opened 1 year ago
levitte
commented
1 year ago I'm noticing that the key in question is locked... not sure how this works, but could that be a problem?
Lipovlan
commented
1 year ago Yeah my exact thoughts, I have not tested the provider with password protected keys. I'll try to generate myself a few of these and get back to you.
Also I'll try to add a few more debug lines to narrow down the source of your problem.
In the meantime, let me know if the provider works for you when the key is not password protected but still marked as non-exportable.
Lipovlan
commented
1 year ago Unfortunately I was not able to reproduce your problem. Maybe it has to do with the KeyStore explorer. Please try to import the certificate into the CNG store with the normal Windows tools. A pkcs12 certificate with an associated key can be easily imported by just double clicking on in it in Windows explorer. Then you can even specify whether or not should the user be prompted for a password on each key usage.
Then when using the provider you should see the line Got a Pkey. The fact that this line is missing in your log suggests that maybe the associated private key did not get imported into the CNG store.
Try looking into the certmgr utility on windows, navigate to Personal certificates and tell me if you can see the line You have a private key that corresponds to this certificate.. It appears at the bottom of the text input and looks like this:
Akretsch
commented
1 year ago Now I used the "Crypto Shell Extensions" to import a pkcs12 file containing a selfsigned certificate and a related RSA key. Its visible at "Certificate - Local Computer -> Personal -> Certificates":
But the client did not find it:
C:\git\cng-openssl-provider\custom-build-directory\client\Debug>client.exe
PROGRAM> We will connect to a remote server and check the SSL certificate
Configuration in section openssl_init
Adding config module 'alg_section'
Adding config module 'providers'
Adding config module 'random'
Loading providers module: section provider_sect
Configuring provider default
Provider params: start section default_sect
Provider params: finish section default_sect
Running module providers (provider_sect) returned 1
Looking up scheme cng
cng_store_open
STORE> The system store is open. Continue.
Found loader for scheme cng
Opened cng://MY => 0x1dc495fa720
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
cng_store_eof
Closing 0x1dc495fa720
cng_store_close
PROGRAM> Could not find certificate with this common name in store
PROGRAM> Client exiting...
Cleaned up providers
Cleaned up providersSorry for late response. Last week I was sick.
Lipovlan
commented
1 year ago I can see, that the output has changed and the program now failed due to not being able to find the right common name. I've included few more lines in the client application to print out the subject name of the certificate. Try to compile the new code and run the client again, maybe the debug info will help you.
My guess is that there is a slight mismatch in the certificate you have and the certificate that the client wants.
Also don't be afraid to change the SEARCH_VALUE or even SEARCH_FACTOR to better suit your needs so you don't have to generate certificates based on names I made up :)
Akretsch
commented
1 year ago Thanks for the debug output. I get:
C:\git\cng-openssl-provider\custom-build-directory\client\Debug>client
PROGRAM> We will connect to a remote server and check the SSL certificate
Configuration in section openssl_init
Adding config module 'alg_section'
Adding config module 'providers'
Adding config module 'random'
Loading providers module: section provider_sect
Configuring provider default
Provider params: start section default_sect
Provider params: finish section default_sect
Running module providers (provider_sect) returned 1
Looking up scheme cng
cng_store_open
STORE> The system store is open. Continue.
Found loader for scheme cng
Opened cng://MY => 0x22ebde5bb10
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
cng_store_eof
Closing 0x22ebde5bb10
cng_store_close
PROGRAM> Could not find certificate with this common name in store
PROGRAM> Client exiting...
Cleaned up providers
Cleaned up providersSo the client finds the certificates on my company smart card (there are also private keys) but not the certificates shown by the certmgr at "Certificate - Local Computer -> Personal -> Certificates".
If I use
#define SEARCH_FACTOR NID_serialNumber
#define SEARCH_VALUE "ZZZZZGXC"I get
C:\git\cng-openssl-provider\custom-build-directory\client\Debug>client.exe
PROGRAM> We will connect to a remote server and check the SSL certificate
Configuration in section openssl_init
Adding config module 'alg_section'
Adding config module 'providers'
Adding config module 'random'
Loading providers module: section provider_sect
Configuring provider default
Provider params: start section default_sect
Provider params: finish section default_sect
Running module providers (provider_sect) returned 1
Looking up scheme cng
cng_store_open
STORE> The system store is open. Continue.
Found loader for scheme cng
Opened cng://MY => 0x1b6b6ffb4e0
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
Closing 0x1b6b6ffb4e0
cng_store_close
Looking up scheme cng
cng_store_open
STORE> The system store is open. Continue.
Found loader for scheme cng
Opened cng://MY => 0x1b6b8d859f0
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
cng_store_eof
Closing 0x1b6b8d859f0
cng_store_close
PROGRAM> Could not find matching private key in store
PROGRAM> Client exiting...
Cleaned up providers
Cleaned up providersThe client finds the certificate but not the key.
So I would summarize:
Maybe the behavior depends on the Windows version or some company policies.
Lipovlan
commented
1 year ago Oh I see where the problem is! The system store locations on Windows are a bit confusing due to the overlapping names.
There is a difference between current user and local machine or as you have written in local computer.
The certmgr utility is actually only a "mode" of the mmc.exe. You have opened certlm not certmgr, they look the same in the GUI though and have the same structure.
Try importing the key into the current user store. Either search in the Windows search bar for user certificate manager or run mmc.exe and under File choose certmgr. Then go to Personal > Certificates and right-click and choose All tasks > Import.
Another option is to choose Import for current user not Import for local computer when you double-click on the certificate in Windows Explorer and follow the import wizard.
I will add a new issue to allow usage of other certificate stores other than the CERT_SYSTEM_STORE_CURRENT_USER such as CERT_SYSTEM_STORE_LOCAL_MACHINE. But this should solve your problem.
Lipovlan
commented
1 year ago @DDvO does the thumbs up mean that this solved your problem and I can close the issue, or that you have interest in other stores than the user store?
DDvO
commented
1 year ago My 'thumbs up' in this case just means that I'm glad a solution apparently was found. I did not try myself, but I'm sure @Akretsch will do and confirm if it works now for him.
Akretsch
commented
1 year ago Now I used the user certificate manager to import a selfsigned CN = CNG 2 Client certifcate and key. It is visible beside my smart cart certificates at Certificates - Current User -> Personal -> Certificates. 
is also there.
Unfortunately the situation did not improve:
**C:\git\cng-openssl-provider\custom-build-directory\client\Debug>client.exe
PROGRAM> We will connect to a remote server and check the SSL certificate
Configuration in section openssl_init
Adding config module 'alg_section'
Adding config module 'providers'
Adding config module 'random'
Loading providers module: section provider_sect
Configuring provider default
Provider params: start section default_sect
Provider params: finish section default_sect
Running module providers (provider_sect) returned 1
Looking up scheme cng
cng_store_open
STORE> The system store is open. Continue.
Found loader for scheme cng
Opened cng://MY => 0x23093402f60
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
PROGRAM> Found certificate in store <==================================================
CN=CNG 2 Client
Closing 0x23093402f60
cng_store_close
Looking up scheme cng
cng_store_open
STORE> The system store is open. Continue.
Found loader for scheme cng
Opened cng://MY => 0x230951c7290
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
Got a Certificate
cng_store_eof
cng_store_eof
Loading next object
cng_store_load
cng_store_eof
Closing 0x230951c7290
cng_store_close
PROGRAM> Could not find matching private key in store <===================================
PROGRAM> Client exiting...
Cleaned up providers
Cleaned up providersYeah, that is unfortunate.
I've tried to change the debug output to something more useful. Please try to compile the new version of the client and run it again. Hopefully it will give us more insight.
Akretsch
commented
1 year ago C:\Users\kretscha>cd \git\cng-openssl-provider\custom-build-directory\client\Debug
C:\git\cng-openssl-provider\custom-build-directory\client\Debug>client
PROGRAM> We will connect to a remote server and check the SSL certificate
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
CN=CNG 2 Client
PROGRAM> The certificate matches search factor. Trying to load it into SSL context.
PROGRAM> Public key of the certificate is: Public-Key: (2048 bit)
Modulus:
00:d0:cf:d9:2e:6e:9d:0e:12:43:d7:a9:33:1f:0e:
b7:b4:61:e0:26:c4:42:e0:e6:41:be:02:9e:20:58:
e2:95:0e:32:bf:3f:f0:a4:2e:3c:d3:2a:51:11:35:
87:04:49:ae:4b:36:55:50:81:bb:65:0d:ac:05:fe:
5b:7e:37:09:e9:42:f8:e5:6d:bd:8a:74:85:c8:8b:
37:06:bd:1b:66:e3:7f:86:76:36:33:eb:3e:b4:2d:
1e:4e:77:55:c0:10:e2:4b:92:bb:f7:64:63:a8:08:
f2:fc:d7:8b:0e:ca:bb:6f:dd:fc:dd:19:36:af:da:
b7:da:32:44:17:f4:f9:e1:66:ca:b1:b0:ef:3c:d3:
32:89:fe:21:20:45:fb:ac:23:9e:6d:e6:02:14:85:
59:af:64:36:a6:d0:6a:b3:83:59:5c:4e:2b:b8:aa:
43:0f:11:8e:6a:b4:7f:b4:7e:73:e7:e8:15:82:80:
2e:54:3e:30:90:27:2d:b4:17:53:db:d3:bc:68:a0:
93:ae:53:cd:76:e4:a8:cc:35:91:73:5c:1b:69:1d:
e6:68:f0:25:cf:dd:52:75:8b:ef:c4:e3:79:28:ac:
5e:7a:2c:a6:4b:5b:42:3e:8e:07:4c:d7:ce:7e:2a:
8d:86:7a:36:b8:82:87:ad:8f:b6:61:96:f2:ff:48:
66:c3
Exponent: 65537 (0x10001)
PROGRAM> Certificate successfully loaded into SSL context
PROGRAM> Could not find matching private key in store
PROGRAM> Client exiting...
Unfortunly the next 2 weeks I will be away without access to my Laptop.
Lipovlan
commented
1 year ago I have another idea! Do you perhaps have a certificate that has an ECC not an RSA key associated with it in your CNG store?
As the ECC export is not implemented yet, this might cause problems. If it is possible, would you mind removing ECC certificates and leaving only RSA ones when trying to run the client?
DDvO
commented
1 year ago I have another idea! Do you perhaps have a certificate that has an ECC not an RSA key associated with it in your CNG store?
As can be seen from the above output provided by @Akretsch, he was using a 2048-bit RSA key.
Lipovlan
commented
1 year ago I have another idea! Do you perhaps have a certificate that has an ECC not an RSA key associated with it in your CNG store?
As can be seen from the above output provided by @Akretsch, he was using a 2048-bit RSA key.
Yes, I can see that. But if the store contains an ECC key as well as an RSA key it might break things.
DDvO
commented
1 year ago Now I understand what you meant. If the store contains both RSA and EC keys/certs but with different identifiers this should not be a problem. Anyway he only talked about RSA keys, and his other (company) key material is RSA-only. And he certainly did not place RSA and EC keys/certs with the same identifier.
So I'm pretty sure the issue is not about RSA vs. EC keys/certs. Since the Windows KeyStore explorer is able to relate to the test cert a corresponding private key, your tool should be as well.
DDvO
commented
1 year ago I have not tested the provider with password protected keys. I'll try to generate myself a few of these and get back to you.
Did you meanwhile test positively with a key that is password-protected?
Lipovlan
commented
1 year ago I have not tested the provider with password protected keys. I'll try to generate myself a few of these and get back to you.
Did you meanwhile test positively with a key that is password-protected?
Yes, keys that need password input on each use work with this provider. You will see the usual Windows dialog box pop up when you use them.
Lipovlan
commented
1 year ago Now I understand what you meant. If the store contains both RSA and EC keys/certs but with different identifiers this should not be a problem. Anyway he only talked about RSA keys, and his other (company) key material is RSA-only. And he certainly did not place RSA and EC keys/certs with the same identifier.
So I'm pretty sure the issue is not about RSA vs. EC keys/certs. Since the Windows KeyStore explorer is able to relate to the test cert a corresponding private key, your tool should be as well.
When an ECC key is in the store it will be a problem for the provider during enumeration.
But as this is not the case and I’m unable to recreate it. Would you mind sending me the certificate you have generated so I can try it myself? @Akretsch
Thanks
levitte
commented
1 year ago @Lipovlan, it appears that your code assumes that all keys are RSA keys. That's quite clear by just looking at this line, that declares every key you load as an RSA key, unchecked:
It would be good if this function checked that the CNG key type indicates that it's an RSA key and only "load" it if it is.
Lipovlan
commented
1 year ago Yeah good idea! I've implemented the check. @Akretsch should be back soon, so I'm wondering if this solves his problem.
Akretsch
commented
1 year ago But as this is not the case and I’m unable to recreate it. Would you mind sending me the certificate you have generated so I can try it myself? @Akretsch
Thanks
Please unpack cng2.zip, the password of the .p12 is "12345"
levitte
commented
1 year ago UPDATE: I'm not at all sure I'm making sense here, considering the trace showing that at least the certificate was correctly extracted.
So the store, in this case, is a PKCS#12 file. Isn't this kinda sorta hinted at in #5? (CertOpenStore() can open a PKCS#12 file, while CertOpenSystemStore(), which is currently used, cannot if I read the docs correctly.
Akretsch
commented
1 year ago As already written in https://github.com/Lipovlan/cng-openssl-provider/issues/4#issuecomment-1562371968 :
I used the user certificate manager to import the selfsigned CN = CNG 2 Client certifcate and key from the .p12.
But to be honest: Finally I want to use the more easy codebase of the cng-openssl-provider to get my own provider running (see also https://github.com/openssl/openssl/issues/20845). Maybe I can extract a kind of a provider frame/template/skeleton and simply inject my few lines of signing code to get a full working provider which is also able to do CMS. So in the first step I have to prove a working CNG provider.
Akretsch
commented
1 year ago The result is still:
C:\git\cng-openssl-provider\custom-build-directory\client\Debug>client.exe
PROGRAM> We will connect to a remote server and check the SSL certificate
STORE> The system store is now open.
STORE> Trying to preload certificates from store.
STORE> Trying to preload private keys from store.
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
serialNumber=ZZZZZGXC, GN=Andreas, SN=Kretschmer, O=Siemens, CN=Kretschmer Andreas
PROGRAM> The certificate does not match search factor. Skipping.
PROGRAM> Found certificate in store
CN=CNG 2 Client
PROGRAM> The certificate matches search factor. Trying to load it into SSL context.
PROGRAM> Public key of the certificate is: Public-Key: (2048 bit)
Modulus:
00:d0:cf:d9:2e:6e:9d:0e:12:43:d7:a9:33:1f:0e:
b7:b4:61:e0:26:c4:42:e0:e6:41:be:02:9e:20:58:
e2:95:0e:32:bf:3f:f0:a4:2e:3c:d3:2a:51:11:35:
87:04:49:ae:4b:36:55:50:81:bb:65:0d:ac:05:fe:
5b:7e:37:09:e9:42:f8:e5:6d:bd:8a:74:85:c8:8b:
37:06:bd:1b:66:e3:7f:86:76:36:33:eb:3e:b4:2d:
1e:4e:77:55:c0:10:e2:4b:92:bb:f7:64:63:a8:08:
f2:fc:d7:8b:0e:ca:bb:6f:dd:fc:dd:19:36:af:da:
b7:da:32:44:17:f4:f9:e1:66:ca:b1:b0:ef:3c:d3:
32:89:fe:21:20:45:fb:ac:23:9e:6d:e6:02:14:85:
59:af:64:36:a6:d0:6a:b3:83:59:5c:4e:2b:b8:aa:
43:0f:11:8e:6a:b4:7f:b4:7e:73:e7:e8:15:82:80:
2e:54:3e:30:90:27:2d:b4:17:53:db:d3:bc:68:a0:
93:ae:53:cd:76:e4:a8:cc:35:91:73:5c:1b:69:1d:
e6:68:f0:25:cf:dd:52:75:8b:ef:c4:e3:79:28:ac:
5e:7a:2c:a6:4b:5b:42:3e:8e:07:4c:d7:ce:7e:2a:
8d:86:7a:36:b8:82:87:ad:8f:b6:61:96:f2:ff:48:
66:c3
Exponent: 65537 (0x10001)
PROGRAM> Certificate successfully loaded into SSL context
STORE> The system store is now open.
STORE> Trying to preload certificates from store.
STORE> Trying to preload private keys from store.
PROGRAM> Could not find matching private key in store
PROGRAM> Client exiting...CMS.... is a more difficult beast. It lacks full provider support in some areas, which is something I'm going to talk about next week.
Lipovlan
commented
1 year ago @Akretsch I have tried to use your key and unfortunately the code still works for me. I will try to spin up a VM and try a clean setup. Hopefully I'll be able to get some results.
And I'm really glad, that you considered this provider as a stepping stone! That is what I had in mind when creating it :)
DDvO
commented
1 year ago I just had a closer look at the error output.
According to The certificate does not match search factor. Skipping.
and your code, you only accept certs that have in their subject the common name "CNG 2 Client",
so no wonder it works (just) for you :wink:
DDvO
commented
1 year ago Ah, Andreas pointed out to me what he wrote before that he also tried using your test certs, with correctly matching common name, but even this failed for him.
Anyway, please do not hard-code a restriction on the common name of the certificates loadable by your provider.
This selection should be done otherwise, via a scheme, e.g. by cng:file-path-name
or by a property query like provider=cng though I do not (yet) know if/how this works.
Lipovlan
commented
1 year ago Indeed. Andreas has even generated his own certificates and changed the relevant parts of declarations in the code as far as I'm aware.
The certificate name should be part of the scheme as you pointed out, yet there wasn't time to implement that. I'm thinking about something along the lines of adding to the current scheme cng://store-type identifier type-value pair like cng://store-type/identifier-type/identifier-value. So addressing via cng://MY/commonName/CNG 2 Client should be possible.
Akretsch
commented
1 year ago With heavy help of @DDvO I got CMS to work for me. So I will leave for now. Thanks for your help!
Lipovlan
commented
1 year ago I have no idea what CMS means in this context but hooray!
Also I realized, that the provider itself does not have the common name hard-coded. Only stuff in the "test application" that is a TLS client has stuff hard-coded and I won't be changing that any time soon.
The provider just enumerates what is in one of the select-able CNG stores, so that should not pose a problem.
DDvO
commented
1 year ago I have no idea what CMS means in this context but hooray!
@Akretsch was considering using your provider implementation as a model for his provider to help fixing issues like these: https://github.com/openssl/openssl/issues/20845 where using his provider did not work for CMS signing.
Also I realized, that the provider itself does not have the common name hard-coded. Only stuff in the "test application" that is a TLS client has stuff hard-coded and I won't be changing that any time soon.
Good point. Yet Andreas was using your test client, so among others he faced this IMHO needless issue.
The provider just enumerates what is in one of the select-able CNG stores, so that should not pose a problem.
I see - so for general use of the provider, this is fine.
I used the KeyStore Explorer to add an RSA key and a "CN=CNG 2 Client" Certificate to the Windows-MY store:
The client finds the certificate but not the related private key:
My OpenSSL version is 3.2.0. Whats did I wrong?
Thanks in advance!
@ddvo