Question: how do I use PrivateKey? about schannel-rs HOT 7 CLOSED

Tiny bit more secure. Cert-store, openssl using native cert store or hardware module is always better.

You'll want the underlying handle through NcryptKey::as_ptr() then likely run a NcryptExportKey.
In general the windows representations arent really 1:1 to openssl side, so need a few steps of conversion.
Some examples illustrating some of the ways that can be used to do so:
https://stackoverflow.com/questions/69909118/how-to-export-rsa-keys-generated-from-cng-api
https://stackoverflow.com/questions/59313462/how-to-convert-cng-key-to-openssl-evp-pkey-and-vice-versa/59345986#59345986
https://github.com/netxms/netxms/blob/e8872bebd9823411a174ee9d176e740201026c30/src/agent/core/cng_engine.cpp#L170
You'll still need to construct the key and feed to SslAcceptorBuilder::set_private_key on openssl-(wrapper = crate) side.

=> Not recommending this as you can see this isnt easy and likely will break, e.g. if switching from RSA to ECDSA certs.

from schannel-rs.

I believe what you want to do is not possible at the moment, except through a very bumpy detour via an in-memory certificate store and export_pkcs12.
Also keep in mind that if you're selecting certificates from the windows certificate store,
they might be stored as not exportable, which would make any such approach fail
(.acquire would throw an error).

from schannel-rs.

Thanks @steffengy.

The issue is sharing certs between a legacy Windows application using Crypto APIs and my Rust application.

It does look like PFXExportCertStoreEx() would probably work if the cert is created as exportable.

After a bit more work, it seems the best approach is to generate the certs and then import them into the Windows Store, so I can have direct access to the private key file from Rust. I have tested this using a python script / openssl to create the certs, they can be shared correctly in that case.

FYI: I have abandoned trying to use rustls, at least for now, in favor of the more complicated openssl crate to provide more flexibility. My concern with rustls is that it hasn't undergone any security audit (AFAIK), while with openssl, they provide mozilla_intermediate() as a way to use an accepted set of ciphers with TLS 1.2 and TLS 1.3.

from schannel-rs.

Hi. I was just considering of changing from rust openssl to rustls because I do not want to have the pem files laying around any more.
schannel-rs provides a certificate context and an ncryptkey when read from windows store.
I haven't found a way though, importing these to the rust openssl SslAcceptorBuilder.
How do you use them in openssl?
After four years, this is still an issue; importing a certificate with its key from windows store to some tls communication.

from schannel-rs.

@VassilisM
If you just need the public key you can take a look at how e.g. https://github.com/rustls/rustls-native-certs/blob/main/src/windows.rs does it.
If not and talking ncrypt handle specifically, you should be able to get e.g. NCryptExportKey to export into a format you like on the underlying handle - if talking about certificates marked exportable in store at all.
In general such an use isnt recommended, as essentially you're losing all the additional security the certificate store in the first place can provide to protect private keys (vs using schannel bindings insteadof rustls/openssl).

from schannel-rs.

I will check it out, thank you. --> UPDATE: Yes, I had seen this. I couldn't find out how to use the store and this helped. This provides no keys though.
NcryptKey handle is very difficult to... handle. No idea how to.
It is customer requirement, I have read that it is not that secure. But isn't is better than having the certificate and private key files laying around where the application files are?
I have tried locally with an imported pfx certificate created from those files with non-exportable key (trying to export it back, the private key is grayed out).
The "CertContext::private_key().acquire()" does not throw an error. Instead I get a NcryptKey back. Also mysterious.
Btw, is there a way to get the Thumbprint from the context? :-D

from schannel-rs.

Thanks again. I will check these out tomorrow.
UPDATE:
These are deep into cryptography. I am not an expert.
I found a solution using the rustls-cng!

from schannel-rs.