[xmlsec] xmlsec tests use private keys in the clear
Tejkumar Arora
tej at netscape.com
Wed Jun 4 12:38:04 PDT 2003
Tej Arora wrote:
>Aleksey Sanin wrote:
>
> > Since NSS does not have an ability to load private keys from clear form,
> > then probably the right approach for tests suite would be to just use
> > keys
> > from key db. Probably this means that xmlsec-nss should just ignore
> > private keys from xml keys file. For example, there would be one more
> > command line parameter for xmlsec utility:
> > --crypto-config <path>
> > with path to crypto config folder. For NSS that would be path to keys
>and
> > certs db. You will prepare keys/certs db with same keys as keys and
>certs
> > in tests/keys/* and in other subfolders test/*.
> >
> > I don't like this approach but it seems natural for NSS world. The only
> > thing I would like to think of is how to generalize it to make it less
> > NSS specific.
> >
> >
> > Aleksey
> >
>It would be a good idea to always use PKCS8 format for private
>keys. This will then not be any crypto engine specific, and allows
>for encrypting the private key. Avoid private key components in xml.
>
>To make this happen for xmlsec/openssl, some simple changes are needed:
>
>1. in src/openssl/app.c, replace
>
> pKey = d2i_PrivateKey_bio(...) with
>pKey = d2i_PKCS8PrivateKey_bio(bio, NULL, pwdCallback, (void*)pwd);
>
>2. replace the current <pvtkey>.der & <pvtkey>.pem unencrypted
>private key files with
><pvtkey>.der & <pvtkey>.pem that contains an encrypted private key.
>This can be done with the "openssl pkcs8" utility. Use some password "foo".
>
>3. Edit the *.sh test scripts to add "--pwd foo" option wherever
>we have "--privkey....."
>
>
>Do you want me to make these changes?.
>
>-Tej
>
>
The changes are attached. Since there are some binary files involved,
i'm also attaching a tarball of those binary files.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff.gz
Type: application/x-gzip
Size: 4895 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030604/ae88b519/diff.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tarball.gz
Type: application/x-gzip
Size: 1711 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030604/ae88b519/tarball.bin
More information about the xmlsec
mailing list