Hi, Somehow related to private keys but about loading them with CAPI engine... Does someone know if the ENGINE_load_private_key() for CAPI engine returns the PUBLIC KEY ? I have a feeling it does so because I tried to save that returned EVP_PKEY to a PEM file with PEM_write_bio_PrivateKey and then to load it back from the same file with PEM_read_bio_PrivateKey. Saving worked, but loading failed (with some decoding error inside openss). The length of the base64 string in the PEM file for the key was very small in comparision with what is usually the length for private keys.
PEM_write_bio_PUBKEY and PEM_read_bio_PUBKEY worked with the returned EVP_PKEY. Thanks! ________________________________ From: Ashok C <ash....@gmail.com> To: openssl-users@openssl.org Sent: Thursday, December 6, 2012 7:03 AM Subject: Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine Thanks Steve and Kent for the pointers. Makes things clear for now. On Thu, Dec 6, 2012 at 4:22 AM, Dr. Stephen Henson <st...@openssl.org> wrote: On Wed, Dec 05, 2012, Ashok C wrote: > >> Hi, >> >> Our current SSL server loads plain-text private keys using the >> SSL_CTX_use_PrivateKey_file() >> method. We are moving from this strategy to use custom encrypted private >> keys using the TPM concept. For this, we have an engine implemented. Now >> the question is this. >> >> Does my SSL server need to change from loading private keys using >> SSL_CTX_use_PrivateKey_file() >> method to use this method --> ENGINE_load_private_key(ENGINE *e, const char >> *key_id, >> >> UI_METHOD *ui_method, void *callback_data) >> >> > >You can't use SSL_CTX_use_PrivateKey_file to load an ENGINE specific key. >Instead you use ENGINE_load_private_key() to load the key into an EVP_PKEY >structure and then pass that to SSL_CTX_use_PrivateKey(). > >Steve. >-- >Dr Stephen N. Henson. OpenSSL project core developer. >Commercial tech support now available see: http://www.openssl.org > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager majord...@openssl.org >
