Hello Normand,
so here is the tricky part of openssl's command line.
You create your key file with genrsa and the passout option. Now you could
think that your keyfile is encrypted but it isnt. You have to configure the
encryption algorithm:
-des encrypt the generated key with DES in cbc mode
-des3 encrypt the generated key with DES in ede cbc mode (168 bit
key)
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
If there is no algorithem specified then there is no encryption :-).
[EMAIL PROTECTED]:~> openssl genrsa -out key.pem -passout pass:123456 2048
Generating RSA private key, 2048 bit long modulus
.........+++
...............................................+++
e is 65537 (0x10001)
[EMAIL PROTECTED]:~> cat key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxQbhvVQ6lLykSD/KjPoJJsrvmjxlB1uqBeK+CqGFXV/yTucl
dQZFpo1EZsB/pb+9SU/aKZxdVMRYFvYh4YZKvElAj84PD9QZUDdmjQDwMjXbhkf+
qYxVGzV2bb8Kbt83toUL7hTsfsoFWK1sRjeMsFuiuf8KJk08rB8U5X71+DQN2EdR
d6Qui57u9ATnP/oMpPk2AZ/w+Ig2SB2XOnCrkNkR6XT2DnshXpXIMaFO3lkB6+JC
6CNeFyv16mxdjlfCylR4txqE1FiOyLeugTVGbWop4RjikDr4Z5yAYK7DSnfrfS+m
JYTHTrYoyIEjedxw5XDLbhshQ/sTan/FkH2f8wIDAQABAoIBABPV+4gaIMO0sj1r
3rKOwbkcGT9H8UvqWJW7HDLpzAl4jWaQMt8zQHPiKQ7HNpKzWRU2atphmavdEJlP
Ml4ILSIDpfJUZoPLcLj4uuRbQdNsRKuiN+tN64uPuFqYLy62Xl+LyYWwqZaiNCOX
Yh03nnxq3VkoahctE3yorGvmelEAj0dCC20607MZyPwk+CcXITlmKJNJag1ICqpQ
WknW3/zCs8AvaCxwdqPcBY8xDaRa6O2q4sQ004CRob+ze9H1VHN2XNOYmQeOdSLj
kLqKYrgpGXtd5IQOYm5pqfLk9gIElGZxftcV5LMCe7s53Otd+QrqgRvl4AX6pIBI
QTuHKgECgYEA8Nlsvdni0dvK/Za9hroU1DsWuSIx6FA04QGUXODzuz1DYOCP2C6B
g7X11xSxjLZ8FE6ahm2zADycpLLFnsNB84ecchmf2SYhUY1Ha4nnF9NCg2hO302g
gpA4l4Al9BPYEeM0LiGwY2ljZX6IKp58WRZuxQInPbGJbRWRYIWaL4ECgYEA0WvA
eglgK/URApgZ0JL1vJ9MBhb9xfkGby4NguW+DSFGDgq2Y1UMMqMDDwTvQq7dRDFY
yo8YnPcmZAW1CsjeJ7Fr48ZRmKmoRkJRUHbV2rI3uin49wBgUc3rYkxcsrJLe76J
HYL8hHPTyByD3oDISv1aLUiHfF7kZoJgBNPuyXMCgYALnPA5V0AwjkCDablJvb8z
XIYD9zog0X07PDBDKjWWWaXeDfXhnpxwFV39OOo2trXU5NVelfuDj2ieKGCO/ys2
6tsIRWQHvGbu37kJ3mReKbmTTHxBGCUdJocUBwHNewd4FVR2xPkUUgiQ5ED8jRfB
0+sTZL8volfWAqw30zlUAQKBgCivQklzINfpWFCks/8tTchDOkXEmbCoXHOlAsL3
VyC94hpAQoaxsxjzSljUoJbX2eyxmYpgmmuEKFUuNqnNtDsJ4OfzU07RRvu/ToTP
UWSXUvQ7yz5ROGUsGBqUsz2UHc4AiirNk7k3t2EdCRFk+4R2C9rYSFoFJWI02eqW
McG5AoGBAL/GxzMONz3uJNJlVcKhZ3ZN5GdfeyYmrpkvcUBugXorMnuMVwrzvGxm
2RgYvBQxHl589oFMuXlbIZhukmkCgvnGsMr+msP/MhphsurYuHbhUREc1JwgPZyC
DNRdhg8qM7MgUDz4JIOn0TKNrA0YuHNrXjYMYm24sCrc9J+NtvrA
-----END RSA PRIVATE KEY-----
With algorithem you get :(At the beginning of the key2.pem file there is also
an additional header)
[EMAIL PROTECTED]:~> openssl genrsa -out key2.pem -aes256 -passout pass:123456
2048
Generating RSA private key, 2048 bit long modulus
...+++
............................+++
e is 65537 (0x10001)
[EMAIL PROTECTED]:~> cat key2.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,31781C1F65AAF64555C4CB77FD7F5E69
FAUJZnFAyWPgFFzZiDcpzz9xotyT5Ln0hiLyp0ds4/9L040gZLl0i9Obm3S8yNvs
TZQSVj8M/D0ZlOomZo0ALvy3GgV88CBkL9pnluXysNdPeW1hZgF1deaafX18wcA0
dvVhv4lQUUqgKRW5SE6iVFj9ceLpOGoxGrGC8FJtT0fCLEtSZ+sNHrtj7/zPIXyP
UBZlL3EutIS6kfuvP4r6h5Smi442FfRzojkehiibveP62iiYYNhUbJqgojtkJ/mI
mVEqBHQWv04JltcTLr81ufqi2u7m9tBepE5WXuY9lcN6KJP6YNIrPKeD7W6hxrtk
idr+ey4NkCm44G0FvBWhcTcLxjpRr8niA9vPPNuXPg/dgnmwbk84Ft6kEP+lKqzd
ZsbCWHE3ZiO+dnquzSqu365kZ0I1aEpHyUkg7e7x27BTJoc+MyCnft5qToHfXIpM
yAf/19E08oOTxdSbnU5aej+XYQNuw6p8A7AYoF36F56qnBre1dQ5jtygPrBdPqst
CS1VgSGSOM5vQ279eUOUdoG6P/TZGoLCBtsqyBg4j+S+YEKWEsbZ/CbZh2bxAYES
5vRigglHSQIQ96O9rv7FMjSZjwT3CVV9ohL9t1T9e/XxR4ywgXGwK4MF/cqzubhY
vytAKkA4Oo/zamfmg9Ak2zmRrpezOlXujNndL4PqP4RiT5dQkUP2swx9/mOBd6Kh
pJF8oCgMhICImrP5MZkofoHj4GH4qERCdDl1ay3uyO6yeeicKAqe/QE1f13HSCxV
iw8px6zB5BoucCE+bvX2sl/3Ew7Uv0ipyKk+4ujtCtpdC09GBqOC9l8xviPYBHZW
ZraT5h3GLEMqtu2l2JX9jpzrj1cCzxhnziR3OencJS1088hPEjL7Fy0y/y98jI2y
EKsTpWmGzfL5Ukgj5heFA4/GZJsMVMu0li8owq9Csrfa3gjEWPxlWWq1Ad3FM/Ol
WqDsYc36C3KHBtgN2IddptV0xdo9adQeT9Bi99ukXyhxvHdZYU4i5/nA9+J1oMTJ
Oj0AslGhiQYg67Fr8skvQdJvAtbhv36+fXhDkSQUWMcG6nYZMaaZqC9+xfsEd9Pd
tVvomPWqqCeajAkVM8qvoVvZBPr5XK+XFAUynMKsqH0OcC1AwBC+iGt9n0G2nJxJ
pS8qjSQPRy+bjLZApeKByISYsaFtIgYXKmlEiFuEziLwOsxj7VaTC9GBMcLurW75
FbzxW4DDHoVNBSGif3tF26xCvXhDoASIdwjxrhDVKNmCHFBmiOOxs07Sa+v4/iXO
n0gVOeFqOThdisfwWxBq7bAqrjbOINnuec8SnRjpxbs4p13mby11xXld0XShx+ZK
6iWjW+9n+KtGo9vz+bKViJNVu0IwtReuaUayDcOF/0+K/8/ldzOulwoHo0FUW+CO
i8aJ3Gm8Yc3knY6W47zmkbDenb1cQKX7vc+SspPSPQGO+p9ftk2GUUiq+Iduop5n
3XI+hj3KrBVehtNo59/rQwnrxeDIbx8ypgIqrZFY4Ffft/n9egYrkftV87vKbftI
VesyAYU91H84PFOKlCYi9zYgtRhBxLQ+tzOhqivDk3I7UfUiMd0yuH0yGG/44QuL
-----END RSA PRIVATE KEY-----
If you use this keyfile openssl ask you for the key:
[EMAIL PROTECTED]:~> openssl req -new -key key2.pem -out cer.pem
Enter pass phrase for key2.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
Or you use passin:
openssl req -new -key key2.pem -passin pass:123456 -out cer.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
You can also generate key and certificate with one command req but then you
cannot configure the encryption algorithem it is always des-ede3-cbc:
[EMAIL PROTECTED]:~> openssl req -newkey rsa:2048 -passout pass:123456 -keyout
key3.pem -out cer.pem
Generating a 2048 bit RSA private key
........................+++
..........................+++
writing new private key to 'key3.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:sd
State or Province Name (full name) [Some-State]:df
Locality Name (eg, city) []:sdf
Organization Name (eg, company) [Internet Widgits Pty Ltd]:df
Organizational Unit Name (eg, section) []:df
Common Name (eg, YOUR name) []:df
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[EMAIL PROTECTED]:~> cat key3.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FCB0BCA5ABEB6510
7j4lLw6hC/13P3BMHnfV1C22Qbgqaouz0W1maQka8+AYUkEPAlDm5L6AWC7rV2gG
FxkfugfsM5HckE0RGOPM9h9d19DiAlLzqLMyPMmdPx/RlGPOwKwofMG0/Bh3BOKk
5jHz0gauTwR0/5PgeOY2ewDs53B/eBi2aYiyuwLpi4AF7ag+50AfsinfN+HD9QHM
OmK7p4KoEbDDku2X6Y0xpvg2xMp1G9bXfBN26EK2Kb5hgOoX1Cv5c7pMHC6FyVBE
pWv9rLgBPm4/SAIVr6fcRQygGh5D7DZ6fs5obAEoWt35jTu77kmunFeqlbDgSl9x
k6b4nit6Gl58bekzAv1R0aGxGTSnSWeETnoUIycygFuFY0iiW5XHH220Bb3olN+0
Jg9xfBf0aIqxJyT3Z+5GPhG4Fm02Y9lXy9aZD6I3jLoIFDVABJMCPYNymlg21Cq0
a/J6++bFSLVIx8hhkCERGE+1Uufv0rAxW06X5kGrrV14YfYf/UDEanE6t2EUNukK
bTCUHd7FCO+5OrQnVDcREjnZ7Z+M/v4/fJxfUUyMHOA4vP2ZIFAk9iw/EsDYCu75
XPo1PHCEtkF/ncgPzfH+qK9JgbdEA99BhuR5d0w1hcVrohpaNXd1ZAhXD+7ZHy8U
cMeIon5pvdR5JnFcdAuwJFyx15m0pAMUUl5WCpe2HFom9c6f7KSxV2ASLUcFdFzI
QnuW2v1ewL54hHFvGLUf2qalEaf3GO9BH8Yo3Zma09tCykXxzT+Jdg1wAgKy8T0H
csIIFF+7UknVflbF7g0CIlPP0zggRzkG+uxgqHr/eBDsr+ZFYCkRJ3E6/BuvLm2a
yW401ZObQVATivdl6Kj+e3w1c82VrSRNcqPzpi7q+Xbqn3dMsh7Z60WsNVXQZxD6
qfKvtc3wmbVP88MzDVPf0EP16P3rgci1FmBoNqf82p8DI6LmBDAZZYjJ34Z2V2oA
Fp6Jr77eRknp+aXjjg8oGNrlXxO5kbM1yTOBVnkt8t+tjRZNu44U4aRs8xVzw6KC
Hn3k/ixB+XJbD/1cDmOzsUkrD2S6rWvlsB6TAayFg87ub7zmb6yrvXECGA/TWgPO
5M8s+vtriRMou2TK9FZOC6dZEK3YKJ5dneMgmdLQuZGmwGMOogqOctEDlPJ2Wkgi
0TRBbTacZhoAKtnlFoDQ3LDKPwgwsSqNMsvN5No7lbgrKy/o8h0ZurpqoY4O8x+b
enEKX8dYXC6C5MIg9Q35vzk1d5W3eYv+6xItIjtHcZQddXTke1B4G/7HjhZApMfg
XyKp8Z3hgiXu5An48SXoZcKzfBSXyU610R20vfeNPgiRnVwyZssLc2GfjK4nm5ae
AvV3gBm5kt8oqjdvYDaXwQsO1u3XH40e57WGMhMrWZxjPewwoXg0mZbfuVedah6+
SnUT3ZYOHbGCWJS4PEsfzwbIdBy3yscLLEAZ4xVy0nU3/Totps2Fjo+gQGuuaVVD
b8HjU8GTY7aEb2iYBm61JUOJeP4i4rwNgOowGGrQAR8x9OBYnCOeuMxeIS1sM4iX
gvIEQaKX1lsoh4QakqmoLf5jtI4c1XlXlIBBILkYQD0DQ71x19k8DrXOAzBOXNOL
-----END RSA PRIVATE KEY-----
Thats for the command line.
I think PEM_read_PrivateKey + SSL_CTX_use_PrivateKey will work because your
keyfile isnot encrypted and the pem_cb is not called, which would be a
segmentation error because openssl will try to execute the memory at
123456!!!! If you want to pass your password as string then you should call
PEM_read_PrivateKey(file_key, NULL, NULL, "123456");
else
PEM_read_PrivateKey(file_key, NULL, password_cb, NULL);
int password_cb (char *buffer, int size_buffer, int useforEncry, void* p)
{
if(buffer != NULL && size_buffer < strlen("123456")+1)
{
strcpy(buffer, "123456");
return strlen("123456");
}
return 0;
}
I hope that helps you a littel bit.
I send a copy also to the mailinglist
Have a nice weekend
Lars
> > userdata)
Am Freitag, 7. November 2008 14:22:12 schrieben Sie:
> Thank you for your anwser!
>
> Concerning the fact that I can use use or not the parameter -passin
> pass:<password>, it's strange a little bit. If I use the -passout
> argument in the key generation (openssl genrsa -passout pass:123456 -out
> privateKey.pem 2048), it doesn't ask for a password in the certificate
> request creation (openssl req -new -key privateKey.pem -out
> certificateRequest.pem).
>
> Because it doesn't ask for the password in the certificate request
> creation (for the information, I sign it with my root certificate after
> that), I tryed 2 things: using the -passin pass:123456 argument in the
> certificate request generation or not, to try if there is a difference
> in the execution of my code.
>
> I dont have anymore the error 175073780. Instead, in the two cases that
> I tryed, the PEM_read_PrivateKey + SSL_CTX_use_PrivateKey always works,
> without password setting. I was thinking that in the case where I didn't
> use the -passin pass:123456 argument, the process would fail, but not!
>
> To finish, I have another question for you, about the
> SSL_CTX_set_default_password_cb. I didn't about this function so I tryed
> this way:
>
> pem_password_cb* pem_cb = (pem_password_cb*) 123456; and passing
> pem_cb to PEM_read_PrivateKey. I know it's not the good way to do this
> but I still questionning myself about the fact that the
> SSL_CTX_use_PrivateKey function always works (with and without the
> -passin argument in the certificate request generation). My goal is to
> hardcode the private key's password in the software (I can live with the
> fact that someone can dissasemble the code the recover the key).
>
> Thank you !
>
> Normand Bédard
>
> Lars Kühl wrote:
> > Am Donnerstag, 6. November 2008 19:13:11 schrieben Sie:
> >> Hi, in a september post, you wrote:
> >>
> >> If you use openssl to generate the keyfiles then you can use the
> >> parameter "-passout pass:<password>" to encrypt the file within the key
> >> generation.
> >>
> >> If I created a private key using your method, will I need to use the
> >> -passin pass:<password> argument during the certificate generation
> >> (openssl req) ?
> >
> > You can use it.
> > If you use the parameter then openssl don't ask for the password. If you
> > don't use the parameter then openssl will ask you to enter the password.
> > So it is very useful, if you generate certificates with a skript. You
> > enter the password as skript parameter and the password is used within
> > the key and certificate generation.
> >
> >> I have problem with the PEM_read_PrivateKey +
> >> SSL_CTX_use_PrivateKey combination in my code (error 175073780 : x509
> >> certificate routines:X509_check_private_key:key values mismatch). I
> >> don't know if the problem is related to my key/certificate generation or
> >> my C++ code.
> >
> > I don't know the errorcode, but you have enter the password for the
> > private key. Either openssl ask you for the password on a shell (standard
> > callback) or you can use your own callback function as parameter for
> > PEM_read_PrivateKey or/and SSL_CTX_set_default_password_cb.
> >
> > The callback put the password in a NULL terminated buffer.
> > int password_cb (char *buffer, int size_buffer, int useforEncry, void*
> > userdata)
> > If useforEncry is 0 use password for decryption else the password is used
> > for encryption.
> >
> >> Thanks.
> >>
> >> Normand Bédard
> >
> > I hope that I could help you
> > Greetings
> > Lars
--
Dipl.-Informatiker Lars Kühl
Schweigstill IT | Embedded Systems
Schauenburgerstraße 116, D-24118 Kiel, Germany
Phone: (+49) 431 5606-437, Fax: (+49) 431 5606-436
Web: http://www.schweigstill.de/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
