How does openssl ca command get hsm password to use a private key?

[Antonio A]

hi friends of openssl, 
first of all excuse me if my question is out of the
list's scope.

here is my situation:

i work in a project that use a cryptographic device,
especifically a nCipher to store private keys. i read
that openssl use engine objects to manage
cryptographics devices such nShield HSM through CHIL
engine.

openssl ca command takes some arguments like:
$ openssl ca xxx xxxx xxx -engine chil -passin env:pwd

in the previous line the source of the password is the
enviromental variable pwd. 

i could see that in ca command source
openssl-0.9.7e/src/app/apps.c there are a couple of
functions:
int app_passwd(BIO *err, char *arg1, char *arg2, char
**pass1, char **pass2);
static char *app_get_pass(BIO *err, char *arg, int
keepbio)

the first function calls the second. the app_get_pass
function returns the password to use the engine.

what i really need is to know how openssl ca command
get the password (from an enviromental variable such
env:pwd) to sign a CSR through ENGINE engine.


i need to get the engine password to perform
cryptographics operations with my hsm like signing
certificates.

the following is a piece of the code of
openssl-0.9.7e/src/app/ca.c where the private key
stored in hsm is loaded to sign a CSR:

...
...
engine setup previously done here!
...
...

if (!key)
                {
                free_key = 1;
                if (!app_passwd(bio_err, passargin, NULL, &key,
NULL))
                        {
                        BIO_printf(bio_err,"Error getting password\n");
                        goto err;
                        }
                }
        pkey = load_key(bio_err, keyfile, keyform, 0, key, e,

                "CA private key");
        if (key) OPENSSL_cleanse(key,strlen(key));

...
...

is the key argument of load_key functions the
password?

i need to load the private key stored in the hsm to
signing certificates.

NOTE: the cards of the nCipher nShield HSM were read
before execute openssl ca command.

could anyone give me some hint to find out how to get
the hsm password?

thanks a lot for your help.

antonio araujo 




















 

__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
Regístrate ya - http://correo.espanol.yahoo.com/ 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]