rrln wrote:
>
> Hi, people
>
> I was tinkering with some piece of code (modified from /demos/selfsign)
> and I was shocked to find that I saw a private key where
> I shouldn't. Here is the code
>
[stuff deleted]
> It seems that the call to X509_print_fp() is showing the private key. I
> thought that X509_set_pubkey() only take the public part of the RSA key
>
> to the X509 structure, but it seems that it puts all the key .
>
> When I cut the PEM code ( BEGIN CERTIFICATE --- END CERTIFICATE part of
> the result) and use "openssl x509" command line utility I do not see
> the private key . This makes me think that it is when you output the
> certificate (for example thorugh PEM_write_X509() call) that only the
> public part is codified. Am I right? As I do not know the whole library
> is a bit hard to look through the low level stuff :-(.
>
X509_set_pubkey() sets the ASN1 certificate public key and also shares
the EVP_PKEY structure. This means that although only the public key is
actually encoded the private key is also printed out because it uses the
EVP_PKEY strcture.
The easiest solution in OpenSSL is to not share the EVP_PKEY structure
in X509_set_pubkey(). This will then create a new EVP_PKEY structure
from the encoded public key the next time it is extracted.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]