Re: How to protect the private key !

Thu, 06 Nov 2008 06:20:33 -0800 

Hooray, this question I can answer. (Maybe someone can answer mine
now?)

I dont know if it is a bad way, cryptographically, but it works. 

//The bio to handle a char *
static BIO *memory_buf_BIO(const char* buf, int len)
{
  BIO* bio;
  BUF_MEM* mem;

  if (!buf)
    return NULL;

  if (len == -1)
    len = strlen(buf);

  bio = BIO_new(BIO_s_mem());
  if (!bio)
    return NULL;

  mem = BUF_MEM_new();
  if (!mem)
    {
      BIO_free(bio);
      return NULL;
    }

  if (!BUF_MEM_grow(mem, len))
    {
      BUF_MEM_free(mem);
      BIO_free(bio);
      return NULL;
    }

  memcpy(mem->data, buf, len);
  BIO_set_mem_buf(bio, mem, 0);
  return bio;
}

//The password handler
static int ssl_key_password_callback(char* buf, int buf_size,
                                     int x, void* password)
{
  int len;
  if (!password)
    {
      strcpy(buf, "");
      return 0;
    }

  len = strlen((char*)password);
  if (len >= buf_size)
    len = buf_size-1;
  memcpy(buf, (char*)password, len);
  buf[len] = '\0';
  return len;
}


//Defined earlier I assume, so used uninitialised
  SSL *ssl;
  SSL_CTX *ctx;

//This function is pulled from a couple of other functions and mangled
together
//in this email. It works in my code but may not compile if I miss out
a
//variable or something...
process_private_key(char *private_key,char *private_key_password)
{
  EVP_PKEY *key=NULL;
  BIO* bio = NULL;

  if (private_key && *private_key)
    {
      //Extract private key                                           
         
      bio = memory_buf_BIO(private_key, -1);
      if (bio)
        {
          if (private_key_password && *private_key_password)
            {
              key=PEM_read_bio_PrivateKey(bio,NULL,
ssl_key_password_callback,
                                         
(void*)private_key_password);
              if (!key)
                {
#ifdef SSL_DEBUG
                  printf("Bad Password\n");
#endif
                  return 0;
                }
            }
          else
            key=PEM_read_bio_PrivateKey(bio,NULL, NULL, NULL);

          BIO_free(bio);
        }
    }

  SSL_CTX_use_PrivateKey(ctx,key);

  return 1;
}

BiGNoRm6969 wrote:
> Hi,
>
> I did not know about the function EVP_PKEY *PEM'_read_PrivateKey(FILE *fp, 
> EVP_PKEY **pkey,pem_password_callback function *cb,void *u ) and it's
> exactly what I need to use (very similar situation like the author of this
> thread).
>
> However, how could I use the EVP_PKEY after that ? Is there an equivalent
> function to SSL_CTX_use_PrivateKey_file() to use that EVP_PKEY ?
>
> Also, after creating a key with openssl (with -passout parameter), is the
> certificate creation process is the same ? Will I have to enter the key's
> password during the certificate creation ?
>
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to