Rod Gilchrist wrote:
> Norberto Silva wrote:
>
> > Hi,
> >
> > I am in the process of trying to automate the generation of RSA private
> > keys using openssl genrsa.
> > In particular, I am trying to redirect user input via a temporary file
> > containing the pass phrase (and , of course,
> > a confirming pass phrase on the next line). In other words I have a file
> > phrase.inp with the first two lines
> > containing (pass phrase is "secret"):
> >
> > secret
> > secret
> >
> > Then I want to automate the generation of the rsa key via the command
> >
> > openssl genrsa -des3 -out myKey.key 1024 < phrase.inp
> >
> > The problem I encounter is that genrsa is still prompting the user
> > rather than taking the contents of
> > phrase.inp as input. Is there anyway around this?
> >
> > Norberto
>
> The PEM routines take a call back to read the password. I modified req.c
> (rsa.c looks to be very similar) to take a -p flag to set the password with
> the following snippets:
>
> char *pwd=(char *)0;
> pem_password_cb *pwd_cb = (pem_password_cb *)0;
> ...
>
> else if (strcmp(*argv,"-p") == 0)
> {
> if (--argc < 1) goto bad;
> pwd = *(++argv);
> pwd_cb = read_password_callback;
> }
> ...
>
> if (!PEM_write_bio_PrivateKey(out,pkey,cipher,
> NULL,0,pwd_cb,(void *)pwd))
> {
> if ((ERR_GET_REASON(ERR_peek_error()) ==
> PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3))
>
> {
> ERR_clear_error();
> i++;
> goto loop;
> }
> goto end;
> }
>
> Which worked fine, but then I abandoned it and decided just to generated the
> keys
> in unencrypted form (e.g. no password requested) via:
>
> openssl genrsa -out CA/private/CAkey.pem 1024
>
> - Rod
whoops, one missing snippet:
static int read_password_callback(char *buf, int num, int w, void *userdata)
{
char *pwd = (char *)userdata;
memset(buf,0,(unsigned int)num);
strncpy(buf, pwd, num-1);
return (strlen(buf));
}
BTW, pats on the back all around to Dr Steve and the OpenSSL team. You guys are
doing a great job.
For the other newbies (besides me that is) out there, you _can_ hack this code.
The documentation is more hard-to-find than non-existant. Check out
www.openssl.org
under 'Related' (the Columbia link is good for subroutine and package
documentation
like this password thing) rather than 'Documents' on the home page.
- Rod
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
