[xmlsec] xmlsec tests use private keys in the clear
tej at netscape.com
Wed Jun 4 11:52:35 PDT 2003
Aleksey Sanin wrote:
> Since NSS does not have an ability to load private keys from clear form,
> then probably the right approach for tests suite would be to just use
> from key db. Probably this means that xmlsec-nss should just ignore
> private keys from xml keys file. For example, there would be one more
> command line parameter for xmlsec utility:
> --crypto-config <path>
> with path to crypto config folder. For NSS that would be path to keys
> certs db. You will prepare keys/certs db with same keys as keys and
> in tests/keys/* and in other subfolders test/*.
> I don't like this approach but it seems natural for NSS world. The only
> thing I would like to think of is how to generalize it to make it less
> NSS specific.
It would be a good idea to always use PKCS8 format for private
keys. This will then not be any crypto engine specific, and allows
for encrypting the private key. Avoid private key components in xml.
To make this happen for xmlsec/openssl, some simple changes are needed:
1. in src/openssl/app.c, replace
pKey = d2i_PrivateKey_bio(...) with
pKey = d2i_PKCS8PrivateKey_bio(bio, NULL, pwdCallback, (void*)pwd);
2. replace the current <pvtkey>.der & <pvtkey>.pem unencrypted
private key files with
<pvtkey>.der & <pvtkey>.pem that contains an encrypted private key.
This can be done with the "openssl pkcs8" utility. Use some password "foo".
3. Edit the *.sh test scripts to add "--pwd foo" option wherever
we have "--privkey....."
Do you want me to make these changes?.
More information about the xmlsec