Hi, I did not know about the function EVP_PKEY *PEM'_read_PrivateKey(FILE *fp, EVP_PKEY **pkey,pem_password_callback function *cb,void *u ) and it's exactly what I need to use (very similar situation like the author of this thread).
However, how could I use the EVP_PKEY after that ? Is there an equivalent function to SSL_CTX_use_PrivateKey_file() to use that EVP_PKEY ? Also, after creating a key with openssl (with -passout parameter), is the certificate creation process is the same ? Will I have to enter the key's password during the certificate creation ? Lars Kühl wrote: > > Am Montag, 15. September 2008 11:48:15 schrieb Dan Ribe: >> Hi, >> >> I have a client/server application, where client authenticate itself by >> signing a random string (sent by server) using its private key. Whole >> logic >> is working fine for me. I am using PEM_read_PrivateKey() function to read >> the private key from the key file which is stored on the disk. >> >> As per the current mechanism PEM file needs to be the part of the client >> bundle, but that is not good for the safety of the client's private key >> (as >> this way key file will be visible to all the users of the application). >> I >> am looking for some mechanism to directly hardcode the key in the code & >> directly read it from there. Can anyone give me some idea on this. What >> format I can use to specify the PEM data in the code & what APIs can be >> used to read the private key directly from the memory buffer. >> >> Looking for some valueable comments from you. Thanks >> >> Cheers ! > > > Hi Dan, > you can encrypt the .pem file and then use a pem_password_callback > function() > to enter the password in the call EVP_PKEY *PEM'_read_PrivateKey(FILE *fp, > EVP_PKEY **pkey,pem_password_callback function *cb,void *u ). > So you add a symetric key to the sourcecode, or you can ask the user for > a > password. > > If you use openssl to generate the keyfiles then you can use the > parameter "-passout pass:<password>" to encrypt the file within the key > generation. > > For security the best option would be to use a smartcard to sign the data. > > Cheers! > Lars > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/How-to-protect-the-private-key-%21-tp19489983p20346930.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
