How can I use a certificate read from the Windows Certificate store in OpenSSL?
I've setup a Windows project based on Boost Beasts's http_server_async_ssl.cpp - basically added an https server into my project. When I use the hardcoded certificate in that example, everything works, but when I export that certificate and load it into my code, I get " no shared cipher
".
I set up a minimal example . In main.cpp:79-83 I use load_server_certificate
which loads a certificate based on the thumbprint - this is what fails with " no shared cipher
". If I instead comment that out and use load_static_server_certificate (the original example hard coded keys) it works (I can post, get a response, etc. ).
Basically, this program searches for a given certificate thumbprint (searching through the store with CertEnumCertificatesInStore
), and once it finds a match, it loads the certificate. I based loading the certificate into the context off of an example I found while reading every Stack Overflow question about this - this answer especially .
ex/certificate_helpers.cpp :
509 = d2i_X509(nullptr, const_cast<const BYTE**>(&pCertContext->pbCertEncoded), pCertContext->cbCertEncoded);
bio = BIO_new(BIO_s_mem());
PEM_write_bio_X509(bio, x509);
ctx.add_certificate_authority(boost::asio::buffer(certificates.data(), certificates.size()), ec);
My context is setup before my stream starts (that seemed to be a common question), my certificate appears to be loading correctly. In the certificate store my certificate has a private key.
My next step is to figure out if I can extract that private key and potentially load it with add_private_key
, I also see the that the example uses a Diffie-Hellman parameter, if this is also required I have no idea how to use it - do I need it?
For using the certificate you could use use_certificate interface like you do for the add_certificate_authority interface.
For the private key is gets a little harder. See my answer here as a example of reading a RSA private key into a EVP_PKEY (ECC would require different code). Then you can use the PEM_write_bio_PrivateKey function to generate a pem blob and use the use_private_key interface to use it.
You can also skip the conversation to PEM format if you call the openssl functions directly using the ssl_context native_handle method.
eg
X509 *cert = readCert();
SSL_CTX_use_certificate(ctx.native_handle(), cert); // instead of the use_certificate call
EVP_PKEY *key = readKey();
SSL_use_PrivateKey(ctx.native_handle(), key); // instead of the use_private_key call
X509 *cert = readChainCert();
SSL_CTX_add_extra_chain_cert(ctx.native_handle(), cert); // use chain cert
X509 *cert = readCaCert();
X509_STORE *store = SSL_CTX_get_cert_store(ctx.native_handle()); // instead of the add_certificate_authority call
X509_STORE_add_cert(store, cert);
Update: Add example to use a PCCERT_CONTEXT (ie uses CryptAcquireCertificatePrivateKey api).
EVP_PKEY* extract_private_key(const PCCERT_CONTEXT context)
{
HCRYPTPROV_OR_NCRYPT_KEY_HANDLE key_handle;
DWORD key_spec = 0;
BOOL free_key;
if (!CryptAcquireCertificatePrivateKey(context, CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG | CRYPT_ACQUIRE_SILENT_FLAG, nullptr, &key_handle, &key_spec, &free_key))
{
return nullptr;
}
EVP_PKEY* pkey = nullptr;
DWORD length = 0;
if(SUCCEEDED(NCryptExportKey(key_handle, NULL, BCRYPT_RSAFULLPRIVATE_BLOB, nullptr, nullptr, 0, &length, 0)))
{
auto data = std::make_unique<BYTE[]>(length);
if(SUCCEEDED(NCryptExportKey(key_handle, NULL, BCRYPT_RSAFULLPRIVATE_BLOB, nullptr, data.get(), length, &length, 0)))
{
// https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/ns-bcrypt-_bcrypt_rsakey_blob
auto const blob = reinterpret_cast<BCRYPT_RSAKEY_BLOB*>(data.get());
if(blob->Magic == BCRYPT_RSAFULLPRIVATE_MAGIC)
{
auto rsa = RSA_new();
// n is the modulus common to both public and private key
auto const n = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp, blob->cbModulus, nullptr);
// e is the public exponent
auto const e = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB), blob->cbPublicExp, nullptr);
// d is the private exponent
auto const d = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1, blob->cbModulus, nullptr);
RSA_set0_key(rsa, n, e, d);
// p and q are the first and second factor of n
auto const p = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus, blob->cbPrime1, nullptr);
auto const q = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1, blob->cbPrime2, nullptr);
RSA_set0_factors(rsa, p, q);
// dmp1, dmq1 and iqmp are the exponents and coefficient for CRT calculations
auto const dmp1 = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2, blob->cbPrime1, nullptr);
auto const dmq1 = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1, blob->cbPrime2, nullptr);
auto const iqmp = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1 + blob->cbPrime2, blob->cbPrime1, nullptr);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
pkey = EVP_PKEY_new();
// ownership of rsa transferred to pkey
EVP_PKEY_assign_RSA(pkey, rsa);
}
}
}
if(free_key)
{
NCryptFreeObject(key_handle);
}
return pkey;
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.