<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<font face="monospace">Hi,<br>
<br>
I am quite new to OpenSSL on Windows and I did some research on
the net to <br>
solve my problem, but available knowledge seems to be limited.<br>
<br>
I need to to develop TLS 1.2 application using OpenSSL 1.0.2 (FIPS
compliant version) <br>
on Windows platform. I have requirement that it should get
certificates, keys and<br>
CRLs from Windows cert store, and it should use TLS 1.2 EC-based
suites.<br>
<br>
I have some knowledge about crypto, TLS and OpenSSL but Windows
integration is quite new for me.<br>
Correct me if I am wrong, but as far as I know there are, at least
in theory, 2 ways<br>
of doing this:<br>
<br>
1) Get required cert/keys from Windows store using Windows API
(Crypto API or CNG ?)<br>
and loat it to OpenSSL. I generated self signed certs/keys and
imported them into Windows MY store.<br>
Getting certificates from there programmatically using WinAPI is
quite easy and works (</font><font face="monospace"><span
style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">CertFindCertificateInStore</span></span>,
etc.),<br>
but is it possible to retrieve also corresponding private keys ? <br>
I see functions like </font><font face="monospace"><span
style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">CryptExportPKCS8Ex,
but it seems they are marked as </span>deprecated.<br>
Is there any working example of retrieving specific key using it
?<br>
Or perhaps it would b e easier to use CNG API to do it ?<br>
<br>
</span>2) Using OpenSSL directly with CryptoAPI engine (capi).<br>
Setting capi engine I was able to sign and verify signatures using
RSA certs/keys,<br>
but it seems that </font><font face="monospace"><font
face="monospace">CryptoAPI</font> (and capi engine using it)
does not support EC.<br>
<br>
I realize that part of these questions are more Windows-related,
but I think <br>
problem of using OpenSSL for modern TLS communication using
Windows store should be<br>
known and well researched, but relevant information on the net is
sparse.<br>
<br>
Thanks a lot in advance for any help.<br>
<br>
Best regards,<br>
Pawel<br>
<br>
</font>
</body>
</html>