4

I am creating an SSL connection using OpenSSL API. As we know in a SSL handshake, series of Certificate Authentication occurs for Server or Client. Now for client certificate authentication, the client's certificate and associated private key are stored in Windows Certificate Store.

This certificate with private key is imported into the store after combining them into a pfx format and then that pfx file is imported to the windows Cert store. Now while importing this pfx file using mmc snap-in it asks whether we want to make the private key exportable or not. Now OpenSSL comes into picture for making SSL connection.

For that we have to create SSL_CTX object in which all the connection related properties are loaded. Now for loading private key from windows certificate store into SSL_CTX object, i have marked that private key exportable that i am exporting the key using Crypto API. But I think marking a private key exportable does not make any sense, it's a security breach.

Since private key will always be marked Non-Exportable so, is there any method or API of OpenSSL, etc that can directly read and load private key from windows cert store into SST_CTX object for making a SSL connection.

I know definitely there is some way for this to work but i am not getting it. I have searched a lot for this but not got the required thing.

Summarized Question: The Certificate Store holds many certificates and associated private keys. How are the certificates and private keys accessed when making an SSL connection ?

EDIT : I have gone through an openssl engine API called 

 `EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
      UI_METHOD *ui_method, void *callback_data);`

Now how can i get this key_id of the private key and also i think this api internally called crypto api CryptExportKey and this api fails if private key is marked non-exportable.

jww
  • 83,594
  • 69
  • 338
  • 732
User1234
  • 1,341
  • 3
  • 17
  • 30
  • 1
    See [Using Windows certificate store through OpenSSL](http://openssl.6102.n7.nabble.com/Using-Windows-certificate-store-through-OpenSSL-td46788.html) on the OpenSSL mailing list. Stack Overflow could probably use a good example of doing it (I'm not aware that one exists). – jww Jan 01 '16 at 04:01
  • @jww Thanks for the link you provided. It was a bit helpful. But the problem here is to use Private Key from within the Store without actually exporting it for making an SSL connection. – User1234 Jan 01 '16 at 06:59
  • The CAPI engine is supposed to use CAPI to perform the private key operations so export is *not* needed. It does not matter where you use it - Signing, Verification, SSL connection, etc. If you want to export the private key (***``***), then that's a slightly different problem. – jww Jan 01 '16 at 07:08
  • I don't remember by heart, but if I remember correctly (been some time since I played with that) you can create a certificate engine (its a windows object) that verifies the certificates automatically for you. – TCS Jan 01 '16 at 19:57
  • @TCS thanks for your concern. But actually the problem i am facing is with private key. The Private Key is present in windows store(marked as non-exportable). Now for creating an SSL session i need to load this private key into ssl object using `SSL_CTX_use_PrivateKey` api of openssl. – User1234 Jan 02 '16 at 16:33
  • @jww :- i have gone through capi engine api's. Firstly for making SSL connection using openssl, we have to load private key into ssl_ctx object for that `SSL_CTX_use_PrivateKey `(openssl api ) is called. Now for this capi engine provides an api `capi_load_privkey' that internally exports the `public key` not the `private key`. I don't find any other capi engine api that allows us to use private key from store itself w/o actually exporting it. – User1234 Jan 02 '16 at 16:43
  • I don't know if openssl can work directly with Windows store in that manner. – TCS Jan 02 '16 at 16:49
  • This looks relevant: [Attach an ENGINE context to a SSL_CTX](http://stackoverflow.com/q/14524152). Unfortunately, no useful answers. Here's something similar with answers: [How to generate certificate if private key is in HSM?](http://stackoverflow.com/q/30905850) But it misses your mark. – jww Jan 02 '16 at 17:01
  • @jww Does that mean i am going in the wrong direction for achieving what i want ? – User1234 Jan 02 '16 at 17:15
  • @User1234 - here is the discussion thread you are looking for: [How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine](http://openssl.6102.n7.nabble.com/How-to-over-ride-SSL-CTX-use-PrivateKey-file-behavior-with-custom-engine-td42571.html). Tehy even discuss MS-CAPI. Pay attention to Dr. Henson's answer. He is one of the OpenSSL devs. Jakob also has good information, but I tend to gravitate towards an OpenSSL dev's answer. – jww Jan 03 '16 at 14:11
  • @jww Thanks, the link is indeed very helpfull. But still the problem persist because in that discussion, they are trying to load i.e export private key from windows store, but it is not possible since the private key is marked as NON-EXPORTABLE. So question again loops back asks "how to use non-exportable private key from windows cert store itself (without exporting ) in client authentication ?" – User1234 Jan 10 '16 at 17:51
  • The .net tls equivalents that I have used to OpenSSL (HTTPClient and Tcpclient+Sslstream) seem to access non exportable private keys only indirectly. You tell the API how to find the keys you want via a query and you get a certificate collection object back but I think it only has a handle to the private keys, not the private keys themselves. Which seems to indicate that the API does what TLS needs it to do internally and hides everything behind a layer of abstraction. So... OpenSSL integration at the level you need doesn't seem to practical to me. – Timothy John Laird Nov 05 '17 at 21:46

0 Answers0