>From: owner-openssl-us...@openssl.org On Behalf Of Leonardo Laface de
Almeida
>Sent: Thursday, 11 October, 2012 14:04
>I have an application which already establishes SSL Socket connection
>using OpenSSL as lib. Now, my application needs to able the user create
>a RSA key pair, sign documents and verify signatures. This it will be
>needed in some features of my application, managed by user for signing
>docs and verifying signatures.
>The point is not do this by prompt because it will force install openssl
>in all computer which the application is installed. The idea is call some
>function from Openssl lib already imported by my application in order to
>create and use key pair.
I assume by "prompt" you mean the commandline aka utility executable
"openssl" (openssl.exe on Windows)? Note this executable can run with
input as commandline args or from a file or pipe without prompting.
If your application uses openssl as dynamic library(ies), as is the
usual configuration on most systems, you already need the openssl
library(ies) installed for your application to work. If so, presumably
you've already handled that, and that install probably could and
maybe did include the commandline executable.
But yes, everything significant "openssl" does is done by calling
library functions that your application(s) can call.
>My question is, what's the better (or easier) way to make it happen?
A common standard way of doing signatures on data is CMS-formerly-PKCS7,
see thread "PKCS7 open and extract signature" just in the past few days.
>I'm thinking in call the function which the openssl prompt calls, then,
>Openssl lib will generate and store the key already in pem format,
>into a directory specified by application. The same about sign docs
>and verify signatures.
Almost. See RSA_generate_key to generate a key, or EVP_keygen*
for the new-1.0.0 more generic way, and PEM_write[_bio]_RSAPrivateKey
to write the specific legacy form or PEM_write[_bio]_PKCS8PrivateKey
for the (less new) generic form. And similarly to read back.
If these files are only stored locally and a human needn't look at them,
you could use DER format instead of PEM. But there's little benefit.
>Other way it would be to call rsa functions directly and code it for pem
format.
You can call RSA_* directly, or you can use the generic EVP_* routines
with an RSA key, which is where recent development effort has focussed.
If you want CMS, openssl has a module for that (and for SMIME_,
which is really CMS under the covers), which actually uses EVP_*,
with routines to write and read the structure in PEM. If you design
your own structure, you'll need to implement it yourself, though openssl
can do base64 using a BIO (directly to/from a file, or in memory)
or just EVP_{en,de}code directly.
All of these are routines that commandline can use, depending on
the "subcommand" you choose and the arguments you give it.
>I have no idea which one is easier or better. I'm reading openssl docs
>and source code, but I'm still a bit lost how to make it works.
Hope this helps. If you have more specific questions ask again.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
