Hi all, I have a need to encrypt a block of text (a cookie) in such a way that the contents of the cookie can be protected[1] if and when the cookie is stolen in transit.
I would like to use EVP_EncryptInit and friends to do this, and this function requires that I provide a key and iv to be used as the key from encryption. As it turns out, I have a certificate private key handy in the form of a EVP_PKEY that (in theory) I could potentially use as a key for EVP_EncryptInit. I have two questions: - Does the use of an existing private key bring risk to that key if the private key is used to encrypt a block of text using EVP_EncryptInit and friends? This private key is already there in my application, and using it would eliminate the need to generate a second key. - If this is sane, is there a way, given a EVP_PKEY, to extract the key block itself out of the EVP_PKEY? Everything I have found so far allows me to pass EVP_PKEY around, but not peek inside it. [1] It is assumed the cookie could get stolen using any one of the various XSS risks currently out there and it is understood that the encryption will not prevent this in any way. The purpose of the encryption is to help protect the contents of the cookie in the event it is stolen. Regards, Graham -- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
