[openssl-users] CAPI-Engine doc

Jakob Bohm jb-openssl at wisemo.com
Tue Oct 23 15:42:56 UTC 2018

On 23/10/2018 17:22, Selva Nair wrote:
> On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
> <openssl-users at openssl.org> wrote:
>> Hi!
>> I'm trying to get a handle on the CAPI engine, because I need to have a
>> secure Keystore on Windows. Furthermore I need it to work with Qt's
>> QSslKey, which fortunately can be constructed by EVP_PKEY *.
>> So far so good. The key is found, but when I try to use it in a SSL
>> connection i get following error:
>> error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
>> error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib
> Which version of OpenSSL?
>> Trace Output is:
>> Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
>> Opening certificate store MY
>> capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C},
>> provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
>> Called CAPI_rsa_sign()
> This CSP cannot do SHA2 hashes so won't work unless you restrict
> signature algorithms or set TLS version to 1.1. I believe OpenSSL
> 1.1.0 will try to load The ".. Enhanced RSA AES .. Provider" which
> can handle SHA2 and may work. I say "may" because, if the key store is
> a legacy hardware token, it also depends on signature algorithms supported
> by the token and may be necessary to downgrade to TLS 1.1.
The above limitations are less severe in CNG ("CryptoAPI Next Generation")
on Windows 6.00 and later, where the old API and CSP names are actually
emulations on top of a new structure with much smaller "KSP" providers.
At the same time, the CNG emulation of the classic CryptoAPI functions
are limited to what was available in Windows 5.01 SP2 and 5.02 SP2, thus
much of the SHA-2 functionality is available only by calling the CNG
APIs directly on Windows >= 6.00, but the older APIs with a reference
to newer enum values introduced in Windows 5.01 SP3 or 5.02 SP2+Hotfix.

Put another way, Microsoft forked their crypto source tree sometime in
2004 or 2005, and anything added later was implemented differently in
the 5.0x and 6.0x code bases.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list