On Mon, 2015-01-12 at 13:54 +0100, Arne Schwabe wrote: > I wonder why only certifcates and not ca certifcates. It would be > logical to get all certifcates from the keychain.
Yes, that makes some sense. Although perhaps it should be the other way round — you present the peer's cert to the management client and it just gives you a "yes" or "no" answer. Perhaps after asking the user, if the certificate *wasn't* automatically trusted. > Well although rsa-sign at the momemnt probably only supports RSA (it is > implemented using rsa_method iirc) the API is not rsa specific. It is > just: "Please sign this hash with the private key". In the case of an > RSA certificate this happens to be RSA encrypt in ECB mode with PKCS#1 > padding. I hope it goes without saying, but obviously if we making that more generic, we should be careful not to do dangerous things like allowing the management client to do RSA encryption *without* padding. :) > I am not sure if there is an equivalent of rsa_method for EC in OpenSSL > or if you have to use the engine functionality of OpenSSL for EC. An externally-built ENGINE can't do anything more than you can. Hence http://rt.openssl.org/Ticket/Display.html?id=2459&user=guest&pass=guest -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
