Openssl 将私钥与gSoap中的Windows证书存储一起使用
我正在用OpenSSL编写一个使用Windows证书的gSoap客户端。我有PEM证书和PEM私钥。当我将它们合并到一个文件中并将其交给gSoap时,效果很好:Openssl 将私钥与gSoap中的Windows证书存储一起使用,openssl,certificate,gsoap,Openssl,Certificate,Gsoap,我正在用OpenSSL编写一个使用Windows证书的gSoap客户端。我有PEM证书和PEM私钥。当我将它们合并到一个文件中并将其交给gSoap时,效果很好: soap_ssl_client_context( &soap, SOAP_SSL_DEFAULT, "certkey.pem", /* required only when client must authenticate to
soap_ssl_client_context( &soap,
SOAP_SSL_DEFAULT,
"certkey.pem", /* required only when client must authenticate to server */
NULL, /* password to read the key file (not used with GNUTLS) */
NULL, /* cacert file to store trusted certificates */
NULL, /* capath to directory with trusted certificates */
NULL /* if randfile!=NULL: use a file with random data to seed randomness */
)
但是,当我将证书安装到Windows存储并通过X509\u STORE\u add\u cert从那里加载它时,它不起作用。我的猜测是,我必须以某种方式使用私钥,但我不知道以何种方式使用。我该怎么办?您需要加载私钥,而且X509_STORE_add_cert不正确,这是正确的。如果要为服务器或客户端使用证书,则需要将证书设置为ssl上下文,或使用ssl\u\u xxx作为证书和证书的私钥 e、 g 以上假设“cert.pem”同时持有证书链和私钥 更新: 我假设“Windows存储”指的是“Windows证书存储”。 在windows证书存储中使用证书的主要问题是私钥的使用。如果私钥被标记为“不可导出”,则只能使用。因此,如果您希望使用存储在windows证书存储中的私钥的证书,则需要将证书(非常简单)和私钥“导出”到openssl x509和rsa对象中,以便在SSL_CTX_xxx函数中使用。我发现导出私钥的最佳方法是使用BCRYPT_RSAFULLPRIVATE_BLOB BLOB类型,然后使用函数将其手动分解为openssl结构
RSA* extract_private_key(const PCCERT_CONTEXT context)
{
HCRYPTPROV_OR_NCRYPT_KEY_HANDLE key_handle;
DWORD key_spec = 0;
BOOL free_key;
if (!CryptAcquireCertificatePrivateKey(context, CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG | CRYPT_ACQUIRE_SILENT_FLAG, nullptr, &key_handle, &key_spec, &free_key))
{
return nullptr;
}
RSA* rsa = nullptr;
DWORD length = 0;
if(SUCCEEDED(NCryptExportKey(key_handle, NULL, BCRYPT_RSAFULLPRIVATE_BLOB, nullptr, nullptr, 0, &length, 0)))
{
auto data = std::make_unique<BYTE[]>(length);
if(SUCCEEDED(NCryptExportKey(key_handle, NULL, BCRYPT_RSAFULLPRIVATE_BLOB, nullptr, data.get(), length, &length, 0)))
{
// https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/ns-bcrypt-_bcrypt_rsakey_blob
auto const blob = reinterpret_cast<BCRYPT_RSAKEY_BLOB*>(data.get());
if(blob->Magic == BCRYPT_RSAFULLPRIVATE_MAGIC)
{
rsa = RSA_new();
// n is the modulus common to both public and private key
auto const n = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp, blob->cbModulus, nullptr);
// e is the public exponent
auto const e = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB), blob->cbPublicExp, nullptr);
// d is the private exponent
auto const d = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1, blob->cbModulus, nullptr);
RSA_set0_key(rsa, n, e, d);
// p and q are the first and second factor of n
auto const p = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus, blob->cbPrime1, nullptr);
auto const q = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1, blob->cbPrime2, nullptr);
RSA_set0_factors(rsa, p, q);
// dmp1, dmq1 and iqmp are the exponents and coefficient for CRT calculations
auto const dmp1 = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2, blob->cbPrime1, nullptr);
auto const dmq1 = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1, blob->cbPrime2, nullptr);
auto const iqmp = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1 + blob->cbPrime2, blob->cbPrime1, nullptr);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
}
}
}
if(free_key)
{
NCryptFreeObject(key_handle);
}
return rsa;
}
bool set_ctx_certificate_and_private_key(SSL_CTX* ctx, const PCCERT_CONTEXT context)
{
auto const x509 = d2i_X509(nullptr, const_cast<const unsigned char **>(&context->pbCertEncoded), context->cbCertEncoded);
if (!x509)
{
return false;
}
if(!SSL_CTX_use_certificate(ctx, x509))
{
X509_free(x509);
return false;
}
X509_free(x509);
auto const rsa = extract_private_key(context);
if (!rsa)
{
return false;
}
auto const success = SSL_CTX_use_RSAPrivateKey(ctx, rsa) == 1;
RSA_free(rsa);
return success;
}
RSA*提取私钥(const PCCERT\u上下文)
{
HCRYPTPROV_或Encrypt_KEY_HANDLE KEY_HANDLE;
DWORD键规格=0;
布尔自由键;
if(!CryptAcquireCertificatePrivateKey(上下文、仅加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密加密
{
返回空ptr;
}
RSA*RSA=nullptr;
DWORD长度=0;
if(成功(NCryptExportKey(key_handle,NULL,BCRYPT_rsafllprivate_BLOB,nullptr,nullptr,0,&length,0)))
{
自动数据=标准::使_唯一(长度);
if(成功(NCryptExportKey(key_handle,NULL,BCRYPT_RSAFULLPRIVATE_BLOB,nullptr,data.get(),length,&length,0)))
{
// https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/ns-bcrypt-_bcrypt_rsakey_blob
auto const blob=reinterpret_cast(data.get());
如果(blob->Magic==BCRYPT\u rsafllprivate\u Magic)
{
rsa=rsa_new();
//n是公钥和私钥共有的模
auto const n=BN_bin2bn(data.get()+sizeof(BCRYPT_RSAKEY_BLOB)+BLOB->cbPublicExp,BLOB->cbModulus,nullptr);
//e是公众指数
auto const e=BN_bin2bn(data.get()+sizeof(BCRYPT_RSAKEY_BLOB),BLOB->cbPublicExp,nullptr);
//d是私有指数
auto const d=BN_bin2bn(data.get()+sizeof(BCRYPT_RSAKEY_BLOB)+BLOB->cbPublicExp+BLOB->cbModulus+BLOB->cbPrime1+BLOB->cbPrime2+BLOB->cbPrime1+BLOB->cbPrime2+BLOB->cbPrime1,BLOB->cbModulus,nullptr);
RSA_set0_密钥(RSA,n,e,d);
//p和q是n的第一和第二个因子
auto const p=BN_bin2bn(data.get()+sizeof(BCRYPT_RSAKEY_BLOB)+BLOB->cbPublicExp+BLOB->cbModulus,BLOB->cbPrime1,nullptr);
auto const q=BN_bin2bn(data.get()+sizeof(BCRYPT_RSAKEY_BLOB)+BLOB->cbPublicExp+BLOB->cbModulus+BLOB->cbPrime1,BLOB->cbPrime2,nullptr);
RSA_集0_因子(RSA,p,q);
//dmp1、dmq1和iqmp是CRT计算的指数和系数
auto const dmp1=BN_bin2bn(data.get()+sizeof(BCRYPT_RSAKEY_BLOB)+BLOB->cbPublicExp+BLOB->cbModulus+BLOB->cbPrime1+BLOB->cbPrime2,BLOB->cbPrime1,nullptr);
auto const dmq1=BN_bin2bn(data.get()+sizeof(BCRYPT_RSAKEY_BLOB)+BLOB->cbPublicExp+BLOB->cbModulus+BLOB->cbPrime1+BLOB->cbPrime2+BLOB->cbPrime1,BLOB->cbPrime2,nullptr);
auto const iqmp=BN_bin2bn(data.get()+sizeof(BCRYPT_RSAKEY_BLOB)+BLOB->cbPublicExp+BLOB->cbModulus+BLOB->cbPrime1+BLOB->cbPrime2+BLOB->cbPrime1+BLOB->cbPrime2,BLOB->cbPrime1,nullptr);
RSA_set0_crt_参数(RSA、dmp1、dmq1、iqmp);
}
}
}
如果(自由键)
{
NCryptFreeObject(钥匙手柄);
}
返回rsa;
}
bool set_ctx_certificate_和私钥(SSL_ctx*ctx,const PCCERT_上下文)
{
auto const x509=d2i_x509(nullptr,const_cast(&context->pbcertcoded),context->cbcertcoded);
如果(!x509)
{
返回false;
}
如果(!SSL\U CTX\U use\U证书(CTX,x509))
{
X509_自由(X509);
返回false;
}
X509_自由(X509);
auto const rsa=提取私钥(上下文);
if(!rsa)
{
返回false;
}
auto const success=SSL\u CTX\u use\u RSAPrivateKey(CTX,rsa)==1;
RSA_-free(RSA);
回归成功;
}
RSA* extract_private_key(const PCCERT_CONTEXT context)
{
HCRYPTPROV_OR_NCRYPT_KEY_HANDLE key_handle;
DWORD key_spec = 0;
BOOL free_key;
if (!CryptAcquireCertificatePrivateKey(context, CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG | CRYPT_ACQUIRE_SILENT_FLAG, nullptr, &key_handle, &key_spec, &free_key))
{
return nullptr;
}
RSA* rsa = nullptr;
DWORD length = 0;
if(SUCCEEDED(NCryptExportKey(key_handle, NULL, BCRYPT_RSAFULLPRIVATE_BLOB, nullptr, nullptr, 0, &length, 0)))
{
auto data = std::make_unique<BYTE[]>(length);
if(SUCCEEDED(NCryptExportKey(key_handle, NULL, BCRYPT_RSAFULLPRIVATE_BLOB, nullptr, data.get(), length, &length, 0)))
{
// https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/ns-bcrypt-_bcrypt_rsakey_blob
auto const blob = reinterpret_cast<BCRYPT_RSAKEY_BLOB*>(data.get());
if(blob->Magic == BCRYPT_RSAFULLPRIVATE_MAGIC)
{
rsa = RSA_new();
// n is the modulus common to both public and private key
auto const n = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp, blob->cbModulus, nullptr);
// e is the public exponent
auto const e = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB), blob->cbPublicExp, nullptr);
// d is the private exponent
auto const d = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1, blob->cbModulus, nullptr);
RSA_set0_key(rsa, n, e, d);
// p and q are the first and second factor of n
auto const p = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus, blob->cbPrime1, nullptr);
auto const q = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1, blob->cbPrime2, nullptr);
RSA_set0_factors(rsa, p, q);
// dmp1, dmq1 and iqmp are the exponents and coefficient for CRT calculations
auto const dmp1 = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2, blob->cbPrime1, nullptr);
auto const dmq1 = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1, blob->cbPrime2, nullptr);
auto const iqmp = BN_bin2bn(data.get() + sizeof(BCRYPT_RSAKEY_BLOB) + blob->cbPublicExp + blob->cbModulus + blob->cbPrime1 + blob->cbPrime2 + blob->cbPrime1 + blob->cbPrime2, blob->cbPrime1, nullptr);
RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
}
}
}
if(free_key)
{
NCryptFreeObject(key_handle);
}
return rsa;
}
bool set_ctx_certificate_and_private_key(SSL_CTX* ctx, const PCCERT_CONTEXT context)
{
auto const x509 = d2i_X509(nullptr, const_cast<const unsigned char **>(&context->pbCertEncoded), context->cbCertEncoded);
if (!x509)
{
return false;
}
if(!SSL_CTX_use_certificate(ctx, x509))
{
X509_free(x509);
return false;
}
X509_free(x509);
auto const rsa = extract_private_key(context);
if (!rsa)
{
return false;
}
auto const success = SSL_CTX_use_RSAPrivateKey(ctx, rsa) == 1;
RSA_free(rsa);
return success;
}