> I'm afraid to ask where Boost is storing them. But I do have a morbid
> curiosity: would you happen to know?
Is this a little sense of irony ? :)
From what I know Boost does not store the keys... Boost has an implementation
of SSL based on OpenSSL in boost::asio::ssl. This mimics the functionality and
capabilities of OpenSSL and only accepts specifying certificates and private
keys stored in files (in PEM format).
For security, the private keys in a PEM file can be encrypted with a password.
If OpenSSL, and thus Boost, keeps the private key in some protected way (like
using DPAPI on windows) after reading it from a PEM file, I really don't know
and
I would be curious to know too.
My question was about using the OpenSSL CAPI engine because I tried to mix the
"security" offered by windows certificate store (and read the certificate and
PKEY from there with CAPI engine) with using Boost::asio::ssl and OpenSSL
(which I'm forced to do because of the framework I use).
Unfortunately OpenSSL CAPI engine does not offer all the functionality I need
even in the latest 1.0.1c version - like for example loading a server
certificate.
It can only load a private key, but that is questionable too, because I tried
to save the private key to a PEM file and read it back and it didn't work.
Saving/reading to/from the PEM file was done with the API offered by OpenSSL in
"pem.h" so I doubt that the API was not capable to save it correctly (even if
instead of the prime numbers, the EVP_PKEY structure returned from
ENGINE_load_privatekey contained some indexes, as someone mentioned in a post
to this thread).
Using CryptoAPI directly to export an exportable private key from windows
certificate store and to encode into PEM format, worked. I even fed the
obtained PEM file into OpenSSL with success. I have exported the key as a
PRIVATEKEYBLOB whereas the OpenSSL CAPI engine exports it as a PUBLICKEYBLOB
and then converts it to the OpenSSL EVP_PKEY structure (but only the public
exponent and modulus are put in the EVP_PKEY).
From: Jeffrey Walton
To: openssl-users@openssl.org
Sent: Friday, December 7, 2012 4:52 PM
Subject: Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with
custom engine
On Fri, Dec 7, 2012 at 5:05 AM, LN wrote:
>
> ...
>
>> MS CAPI has an option to mark a private key as "exportable" when you
>> create or install it, which means that the private key can then be read
>> anyway, but I don't know if that feature is used by the OpenSSL "CAPI
>> Engine". It is almost always a good idea NOT to mark private keys as
>> exportable. Note that whatever is decided when the private key is first
>> stored by CAPI will be permanent (There is a 3 step workaround for making an
>> exportable key non-exportable, but any ability to go the
>> other way would compromise security just by being possible).
>
> Indeed, private keys are not exportable as long as they are not marked as
> such when the certificate is imported in the windows store. Unfortunately, I
> am forced to use boost::asio::ssl which (AFAIK) does not integrate with CAPI
> engine so I cannot ask it to sign or decrypt communication.
> Anyway, seems more secure, then, to have the private key in a file encrypted
> with a password, then keeping it in the windows store, if I want to pass it
> to OpenSSL (through boost::asio::ssl) :)
Keys should be stored in DPAPI. See Howard and LeBlanc's "Writing
Secure Code," Chapter 9
(http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228).
I'm afraid to ask where Boost is storing them. But I do have a morbid
curiosity: would you happen to know?
Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
