[openssl-dev] Using openssl with a remote private key
David Woodhouse
dwmw2 at infradead.org
Tue Mar 17 20:02:19 UTC 2015
On Tue, 2015-03-17 at 15:44 +0000, Tigran Gyonjyan (BLOOMBERG/ 731 LEX)
wrote:
>
>
> Recently I had to work on an openssl project where due to security
> requirements I had to place the private key for the server certificate
> on another machine. In order to be able to make openssl ignore the
> fake private key in the certificate I had to "hack" some data
> structures to delegate the handshake decrypt to the remote machine so
> that the handshake could succeed.
>
>
> I was wondering if this capability to delegate the decrypt function
> can be useful enough to incorporate into the official version.
> In cases when the client and the server are located on user's machine
> it is a risk to keep the private key on that machine.
>
>
> Let me know if there is a better solution for this problem.
Yes, PKCS#11. Which is *all* about delegating the decrypt function.
If you install the OpenSC ENGINE_pkcs11 (which *really* ought to be part
of OpenSSL, either in ENGINE form or preferably just native PKCS#11
support like libp11), you can configure it to use a key in PKCS#11. And
it's relatively simple to have a PKCS#11 provider which does the RPC to
the remote machine or wherever the key is actually stored.
I have patches outstanding to ENGINE_pkcs11 which make it Just Work™
with PKCS#11 tokens which are configured in the system's p11-kit
configuration, and accept standard PKCS#11 URIs for them instead of the
bizarre format it currently requires.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150317/58d22d35/attachment.bin>
More information about the openssl-dev
mailing list