Am Montag, 15. September 2008 11:48:15 schrieb Dan Ribe: > Hi, > > I have a client/server application, where client authenticate itself by > signing a random string (sent by server) using its private key. Whole logic > is working fine for me. I am using PEM_read_PrivateKey() function to read > the private key from the key file which is stored on the disk. > > As per the current mechanism PEM file needs to be the part of the client > bundle, but that is not good for the safety of the client's private key (as > this way key file will be visible to all the users of the application). I > am looking for some mechanism to directly hardcode the key in the code & > directly read it from there. Can anyone give me some idea on this. What > format I can use to specify the PEM data in the code & what APIs can be > used to read the private key directly from the memory buffer. > > Looking for some valueable comments from you. Thanks > > Cheers !
Hi Dan, you can encrypt the .pem file and then use a pem_password_callback function() to enter the password in the call EVP_PKEY *PEM'_read_PrivateKey(FILE *fp, EVP_PKEY **pkey,pem_password_callback function *cb,void *u ). So you add a symetric key to the sourcecode, or you can ask the user for a password. If you use openssl to generate the keyfiles then you can use the parameter "-passout pass:<password>" to encrypt the file within the key generation. For security the best option would be to use a smartcard to sign the data. Cheers! Lars ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
