Hi, everybody ...
I am using openssl in an environment which suggests to keep the private
rsa key not on the host on which the application is running which uses
openssl. In this aspect my situation is much like using a smart card.
I tried the following:
On the host I keep the real certificate and a fake private key which is a
valid key but does not match the real certificate. When the crypting
actually takes place, I let it be done by someone else (e.g. a smart
card or via a socket connection by a different host).
This scenario produces the problem that the code for setting the private
key includes a test whether the key (my fake key) matches the given
certificate. As it does not match, the code returns with an error.
That check is normally done in ssl_rsa.c::ssl_set_pkey(), but the code
offers a way to prevent it. Therefor the flag RSA_METHOD_FLAG_NO_CHECK
has to be set, but I haven't found a way yet to set that flag _before_ the
private key is loaded.
Q1: Is there an official way which allows me to keep the private key away
and let the private-key crypting be done by a different machine
without patching the openssl code?
Q2: How can I set that flag RSA_METHOD_FLAG_NO_CHECK in the rsa struct
before the private key is loaded?
Alfe
____ ________
/___/ /___/___ http://www.cs.tu-berlin.de/~alfebtcd, Alfe @ TubMud
/___/___/___/___ Alexander Fetke, Bruno-Taut-Ring 5b, 12359 Berlin
/ /___/ /___ +49-30-60109906, [EMAIL PROTECTED], +49-30-44340358
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
