[openssl-users] CAPI-Engine doc

Richard Oehlinger richard.oehlinger at adbsafegate.com
Tue Oct 23 14:38:14 UTC 2018


I'm trying to get a handle on the CAPI engine, because I need to have a 
secure Keystore on Windows. Furthermore I need it to work with Qt's 
QSslKey, which fortunately can be constructed by EVP_PKEY *.

So far so good. The key is found, but when I try to use it in a SSL 
connection i get following error:

error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object, 
error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib

I use a current Windows 10. Do I need to use a different Algorithm in 
order to work? Some googeling is indicating the provider might be wrong.



I juse following code to load the key:

     ENGINE *engine = ENGINE_by_id("dynamic");
     ENGINE_ctrl_cmd_string(engine, "SO_PATH", "./capi.dll", 0);
     ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);



     assert(ENGINE_cmd_is_executable(engine, CAPI_CMD_DEBUG_LEVEL));
     assert(ENGINE_ctrl(engine, CAPI_CMD_DEBUG_LEVEL, 2, nullptr, nullptr));
     assert(ENGINE_ctrl(engine, CAPI_CMD_DEBUG_FILE, 0, 
(void*)"C:\\Users\\user\\AppData\\Local\\Temp\\engine.txt", 0));
     EVP_PKEY *key = ENGINE_load_private_key(engine, "localhost", NULL, 
     if (!key)
         cerr << "key is null";
         return {};
     QSslKey ssl_key(static_cast<Qt::HANDLE>(key));

Trace Output is:

Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
Opening certificate store MY
capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C}, 
provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
Called CAPI_rsa_sign()

More information about the openssl-users mailing list