[openssl-dev] Using openssl with a remote private key
Tigran Gyonjyan (BLOOMBERG/ 731 LEX)
tgyonjyan at bloomberg.net
Tue Mar 17 22:22:56 UTC 2015
Thank you for your responses, PKCS#11 could be the right way to go. I am hoping there is flexibility as per what functionality I want to delegate (just need the decrypt piece).
If I had to implement a fully fledged PKCS#11 module that would be an overkill. I hope that's not the case?
From: dwmw2 at infradead.org At: Mar 17 2015 16:02:44
To: Tigran Gyonjyan (BLOOMBERG/ 731 LEX), openssl-dev at openssl.org
Subject: Re: [openssl-dev] Using openssl with a remote private key
On Tue, 2015-03-17 at 15:44 +0000, Tigran Gyonjyan (BLOOMBERG/ 731 LEX)
wrote:
>
>
> Recently I had to work on an openssl project where due to security
> requirements I had to place the private key for the server certificate
> on another machine. In order to be able to make openssl ignore the
> fake private key in the certificate I had to "hack" some data
> structures to delegate the handshake decrypt to the remote machine so
> that the handshake could succeed.
>
>
> I was wondering if this capability to delegate the decrypt function
> can be useful enough to incorporate into the official version.
> In cases when the client and the server are located on user's machine
> it is a risk to keep the private key on that machine.
>
>
> Let me know if there is a better solution for this problem.
Yes, PKCS#11. Which is *all* about delegating the decrypt function.
If you install the OpenSC ENGINE_pkcs11 (which *really* ought to be part
of OpenSSL, either in ENGINE form or preferably just native PKCS#11
support like libp11), you can configure it to use a key in PKCS#11. And
it's relatively simple to have a PKCS#11 provider which does the RPC to
the remote machine or wherever the key is actually stored.
I have patches outstanding to ENGINE_pkcs11 which make it Just Work™
with PKCS#11 tokens which are configured in the system's p11-kit
configuration, and accept standard PKCS#11 URIs for them instead of the
bizarre format it currently requires.
--
dwmw2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150317/24b74e91/attachment.html>
More information about the openssl-dev
mailing list