> From: owner-openssl-us...@openssl.org On Behalf Of A Taylor > Sent: Wednesday, 28 January, 2009 10:44
> I am currently using the PKCS5 openssl function for PBE. Currently I > have the values of the password, salt and iterations hardcoded in my > example but I want to avoid this. Is there an openssl implementation > of a key store or something similar? > For the key store, how do i create one? > Are there openssl functions to access the key store? > Or is there some other construct I could use? > Not really. openssl by itself can store a privatekey in a file under PBE (or in clear, which of course does not help security). (Also openssl can store in clear other things, like cert, that don't need security so this is not an issue. But still it's just a file.) Anything on top of that you have to build yourself or find elsewhere. If you did have a secure keystore, you could just store a privatekey (or secretkey) in it directly. Unless you're just being compatible with some other (existing) system or procedure, PBE is normally useful when you want a person to provide the password and thus control the key. > Finally, is there an openssl function similar to memset that I could > use to null out the password, salt and generated key from memory when > I'm done with them? > OPENSSL_cleanse in crypto.h It's not clear if salt is really sensitive and needs to be cleansed, but it doesn't hurt. (IVs are somewhat analagous, and are exposed.) You should cleanse any other sensitive data as well, such as cleartext after encryption (sent) or processing (received). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
