On Tue, 2015-03-17 at 15:44 +0000, Tigran Gyonjyan (BLOOMBERG/ 731 LEX) wrote: > > > Recently I had to work on an openssl project where due to security > requirements I had to place the private key for the server certificate > on another machine. In order to be able to make openssl ignore the > fake private key in the certificate I had to "hack" some data > structures to delegate the handshake decrypt to the remote machine so > that the handshake could succeed. > > > I was wondering if this capability to delegate the decrypt function > can be useful enough to incorporate into the official version. > In cases when the client and the server are located on user's machine > it is a risk to keep the private key on that machine. > > > Let me know if there is a better solution for this problem.
Yes, PKCS#11. Which is *all* about delegating the decrypt function. If you install the OpenSC ENGINE_pkcs11 (which *really* ought to be part of OpenSSL, either in ENGINE form or preferably just native PKCS#11 support like libp11), you can configure it to use a key in PKCS#11. And it's relatively simple to have a PKCS#11 provider which does the RPC to the remote machine or wherever the key is actually stored. I have patches outstanding to ENGINE_pkcs11 which make it Just Work™ with PKCS#11 tokens which are configured in the system's p11-kit configuration, and accept standard PKCS#11 URIs for them instead of the bizarre format it currently requires. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
