Hi, people
I was tinkering with some piece of code (modified from /demos/selfsign)
and I was shocked to find that I saw a private key where
I shouldn't. Here is the code
CODE
=
#include stdio.h
#include stdlib.h
#include openssl/pem.h
#include openssl/conf.h
#include openssl/x509v3.h
rrln wrote:
I was tinkering with some piece of code (modified from /demos/selfsign)
and I was shocked to find that I saw a private key where
I shouldn't. Here is the code
I might be missing the point here, but the following calls look pretty
explicit to me:
rrln wrote:
Hi, people
I was tinkering with some piece of code (modified from /demos/selfsign)
and I was shocked to find that I saw a private key where
I shouldn't. Here is the code
[stuff deleted]
It seems that the call to X509_print_fp() is showing the private key. I
thought that
rrln It seems that the call to X509_print_fp() is showing the private key. I
rrln thought that X509_set_pubkey() only take the public part of the RSA key
rrln
rrln to the X509 structure, but it seems that it puts all the key .
rrln
rrln When I cut the PEM code ( BEGIN CERTIFICATE --- END
rrln wrote:
That's right, and that was expected, but what bothers me is that a call to
X509_print_fp() is showing private key info.
You're right of course, and I should know better than to post after
sitting up half the night playing drunken Need For Speed: Porsche
Challenge.
I think Stephen
rrln wrote:
That's right, and that was expected, but what bothers me is that a call to
X509_print_fp() is showing private key info.
Since this issue crops up quite often and it is a potential security
risk (e.g. using the -text option when a certificate or request has just
been signed)
