Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DDvO contrib: private key protection using OpenSSL's PEM password callback #40

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

DDvO contrib: private key protection using OpenSSL's PEM password callback #40

wants to merge 2 commits into from

Conversation

DDvO
Copy link

@DDvO DDvO commented Apr 5, 2016

This implements password-based protection for PEM encoded private keys using OpenSSL's PEM password callback function. The changes made essentially affect only the example applications.

estclient.c and estserver.c now implement an extra option, "--keypass", used to specify a password source for en-/decrypting the PEM file contents used to store the respective private keys. According to the simple password callback function I implemented/used, the password may be either typed in on-the fly on the console or passed on the command line. As the key encryption algorithm I decided to use AES-128-CBC:
#define EST_PRIVATE_KEY_ENC EVP_aes_128_cbc() // The key wrap algorithm optionally used to protect private keys

I had to extend the est_load_key function, as well as the PEM write function and the RSA/EC key generation functions, to make use of the password callback. I moved all these helper functions:

  char *ossl_generate_private_RSA_key (int key_size, pem_password_cb *cb);
  char *ossl_generate_private_EC_key (int curve_nid, pem_password_cb *cb);
  char *ossl_private_key_to_PEM (const EVP_PKEY* pkey, pem_password_cb *cb);
  EVP_PKEY *ossl_read_private_key (const char *key_file, pem_password_cb *cb);
  EVP_PKEY *ossl_load_private_key (const unsigned char *key, int key_len, int format, pem_password_cb *cb);
  #define ossl_load_private_key_PEM(key) ossl_load_private_key((unsigned char*)(key),strlen(key),EST_FORMAT_PEM, NULL)

to est_ossl_util.c (where their implementation makes most sense to me, while they could also be defined, e.g., in est.c, example/util/utils.c, or test/util/test_utils.c) and declared them in est.h, such that they can be used easily by all applications and unit tests.

BTW, I managed to avoid adaptations to the code of the unit tests simply by employing the following macros:

  #define est_load_key(key, key_len, format) ossl_load_private_key(key,key_len,format, NULL)
  #define read_private_key(key_file) ossl_read_private_key(key_file, NULL)

The only action needed for the unit tests is to fully re-compile them once, which may be triggered simply by a "make clean".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@DDvO