Hi Peter, On October 8, 2004 07:42 am, Peter 'Luna' Runestig wrote: > I'm sorry, I was a bit unclear in my original post. I'm using this on a > SSL/TLS *client*, to connect to a (telnet) server. So I am using client > authentication. And I have tried numerous different cipher setups, but > I can only trigger rsa_priv_enc() to be called. Do you have any tip for > me, how I might trigger e.g. rsa_priv_dec() to be called?
Ah, ok. What about public-key ops, are you getting called for those? The client should certainly be trying to authenticate the server which would require at least one public key operation, probably rsa_pub_dec() in RSA_METHOD-speak. But I'm not sure you need any rsa_priv_dec() operation. Certainly, both sides need to sign for authentication, but only one side should need to decrypt for the key-exchange. Because the server always authenticates (client-authentication is quite rare), it's a pretty safe bet with non-ephemeral RSA key-exchange that the client encrypts and the server decrypts. That would certainly explain what you're seeing. > Yes :-) I post the code here, in case someone is interested/have > feedback/finds errors. It's all wrapped in a function: > > int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char > *cert_prop); Ah, I think you'd probably find it generally to spread your code if you used something other than a new API to stitch the application up to your CryptoAPI stuff - I can say from personal experience that you'll have a difficult time getting applications to support one-off APIs. Eg. if you exported the certificate details so they can be used directly by openssl apps as PEM files, then you only need to make sure the application uses your ENGINE for it to be able to hook all the private key work to the appropriate CryptoAPI token. (You could put in a placebo key-file to satisfy any applications that don't support the ENGINE_load_private_key() API.) Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
