> I'm afraid to ask where Boost is storing them. But I do have a morbid > curiosity: would you happen to know?
Is this a little sense of irony ? :) From what I know Boost does not store the keys... Boost has an implementation of SSL based on OpenSSL in boost::asio::ssl. This mimics the functionality and capabilities of OpenSSL and only accepts specifying certificates and private keys stored in files (in PEM format). For security, the private keys in a PEM file can be encrypted with a password. If OpenSSL, and thus Boost, keeps the private key in some protected way (like using DPAPI on windows) after reading it from a PEM file, I really don't know and I would be curious to know too. My question was about using the OpenSSL CAPI engine because I tried to mix the "security" offered by windows certificate store (and read the certificate and PKEY from there with CAPI engine) with using Boost::asio::ssl and OpenSSL (which I'm forced to do because of the framework I use). Unfortunately OpenSSL CAPI engine does not offer all the functionality I need even in the latest 1.0.1c version - like for example loading a server certificate. It can only load a private key, but that is questionable too, because I tried to save the private key to a PEM file and read it back and it didn't work. Saving/reading to/from the PEM file was done with the API offered by OpenSSL in "pem.h" so I doubt that the API was not capable to save it correctly (even if instead of the prime numbers, the EVP_PKEY structure returned from ENGINE_load_privatekey contained some indexes, as someone mentioned in a post to this thread). Using CryptoAPI directly to export an exportable private key from windows certificate store and to encode into PEM format, worked. I even fed the obtained PEM file into OpenSSL with success. I have exported the key as a PRIVATEKEYBLOB whereas the OpenSSL CAPI engine exports it as a PUBLICKEYBLOB and then converts it to the OpenSSL EVP_PKEY structure (but only the public exponent and modulus are put in the EVP_PKEY). ________________________________ From: Jeffrey Walton <noloa...@gmail.com> To: openssl-users@openssl.org Sent: Friday, December 7, 2012 4:52 PM Subject: Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine On Fri, Dec 7, 2012 at 5:05 AM, LN <lnicu...@yahoo.com> wrote: > > ... > >> MS CAPI has an option to mark a private key as "exportable" when you >> create or install it, which means that the private key can then be read >> anyway, but I don't know if that feature is used by the OpenSSL "CAPI >> Engine". It is almost always a good idea NOT to mark private keys as >> exportable. Note that whatever is decided when the private key is first >> stored by CAPI will be permanent (There is a 3 step workaround for making an >> exportable key non-exportable, but any ability to go the >> other way would compromise security just by being possible). > > Indeed, private keys are not exportable as long as they are not marked as > such when the certificate is imported in the windows store. Unfortunately, I > am forced to use boost::asio::ssl which (AFAIK) does not integrate with CAPI > engine so I cannot ask it to sign or decrypt communication. > Anyway, seems more secure, then, to have the private key in a file encrypted > with a password, then keeping it in the windows store, if I want to pass it > to OpenSSL (through boost::asio::ssl) :) Keys should be stored in DPAPI. See Howard and LeBlanc's "Writing Secure Code," Chapter 9 (http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228). I'm afraid to ask where Boost is storing them. But I do have a morbid curiosity: would you happen to know? Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
