CAPI engine seems to break server validation

Jakob Bohm jb-openssl at wisemo.com
Mon Oct 26 13:35:14 UTC 2020


On 2020-10-24 16:09, Brett Stahlman wrote:
> Jakob,
> I don't really understand why the engine *needs* to do PSS. Neither of 
> the badssl certificates seem to use it for signatures. (I'm assuming the 
> fact that a cert was signed with RSA-PSS would show up in the Windows 
> certificate viewer...) If you could give a short summary of the problem 
> as you understand it, perhaps it would help me narrow in on a 
> workaround. I'd be happy with even an ugly patch at this point. Given 
> that server verification works fine with a ca-bundle file, I wonder 
> whether it would be possible to have the capi engine handle only the 
> client authentication. As you understand it, would the problem breaking 
> server verification also preclude client authentication with the capi 
> engine?
> 

 From the content of your mails, I inferred that whatever you tried to 
do caused OpenSSL to attempt to generate PSS signatures, but failing to 
pass that job to the CAPI engine.  I was commenting on how that might be
made to work.


> On Fri, Oct 23, 2020 at 11:34 AM Jakob Bohm via openssl-users 
> <openssl-users at openssl.org <mailto:openssl-users at openssl.org>> wrote:
> 
>     On 2020-10-23 15:45, Matt Caswell wrote:
>      >
>      > On 23/10/2020 14:10, Brett Stahlman wrote:
>      >> It seems that the CAPI engine is breaking the server
>     verification somehow.
>      >> Note that the only reason I'm using the ca-bundle.crt is that I
>     couldn't
>      >> figure out how to get CAPI to load the Windows "ROOT" certificate
>      >> store, which contains the requisite CA certs. Ideally, server
>      >> authentication would use the CA certs in the Windows "ROOT"
>     store, and
>      >> client authentication would use the certs in the Windows "MY"
>     store, but
>      >> CAPI doesn't appear to be loading either one.
>      > This is probably the following issue:
>      >
>      > https://github.com/openssl/openssl/issues/8872
>      >
>      > Matt
>     Looking at the brutal wontfixing of that bug, maybe reconsider if the
>     existing engine interface can do PSS by simply having the CAPI/CAPIng
>     engine export the generic PKEY type for PSS-capable RSA keys.  Also,
>     maybe use a compatible stronger CAPI "provider" (their engines) to do
>     stronger hashes etc.
> 
>   


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


More information about the openssl-users mailing list