Thank you for your responses, PKCS#11 could be the right way to go. I am hoping there is flexibility as per what functionality I want to delegate (just need the decrypt piece). If I had to implement a fully fledged PKCS#11 module that would be an overkill. I hope that's not the case?
From: [email protected] At: Mar 17 2015 16:02:44 To: Tigran Gyonjyan (BLOOMBERG/ 731 LEX), [email protected] Subject: Re: [openssl-dev] Using openssl with a remote private key On Tue, 2015-03-17 at 15:44 +0000, Tigran Gyonjyan (BLOOMBERG/ 731 LEX) wrote: > > > Recently I had to work on an openssl project where due to security > requirements I had to place the private key for the server certificate > on another machine. In order to be able to make openssl ignore the > fake private key in the certificate I had to "hack" some data > structures to delegate the handshake decrypt to the remote machine so > that the handshake could succeed. > > > I was wondering if this capability to delegate the decrypt function > can be useful enough to incorporate into the official version. > In cases when the client and the server are located on user's machine > it is a risk to keep the private key on that machine. > > > Let me know if there is a better solution for this problem. Yes, PKCS#11. Which is *all* about delegating the decrypt function. If you install the OpenSC ENGINE_pkcs11 (which *really* ought to be part of OpenSSL, either in ENGINE form or preferably just native PKCS#11 support like libp11), you can configure it to use a key in PKCS#11. And it's relatively simple to have a PKCS#11 provider which does the RPC to the remote machine or wherever the key is actually stored. I have patches outstanding to ENGINE_pkcs11 which make it Just Work⢠with PKCS#11 tokens which are configured in the system's p11-kit configuration, and accept standard PKCS#11 URIs for them instead of the bizarre format it currently requires. -- dwmw2
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
