Hi, On Wed, Feb 21, 2018 at 01:04:17AM +0900, Frank Migge wrote: > >> the question remains: Is there a way to reuse an already-encrypted privkey? > I'd say yes it *could* work, but not with OpenSSL API functions. You'd > have to roll your own code for the PKCS12 creation. > OpenSSL's PKCS12_create() function expects an unencrypted EVP_PKEY > object. But, internally, that key is turned into a encrypted PKCS8 > structure, as expected by the PKCS8ShroudedKeyBag type defined in RFC-7292. That's about what I thought I figured out, yeah. :) > Thats why I think it may be possible to experiment and modify code such > as in crypto/pkcs12/p12_crt.c, trying to pass-through that already > encrypted PKCS8 key "as-is" straight into the pkcs8ShroudedKeyBag > object. If your key is a file in PEM format, you'd need to get that into > an internal structure first (more coding), I don't think there is a > simple API import (without decryption). > If you manage to successfully built that PKCS12, you'd run into trouble > for decoding, which probably fails for all known software. They all > expect to be able to read the private key, when in your case it needs > saving to a file somewhere for further handling, or for entering that > second key-specific password. You'd again have to code your own PKCS12 > unpack program, just for this specific use case. > I may be wrong but to me it looks doable, just a *lot* of work. ... and that, unfortunately, is about what I concluded as well. Bummer. ;-) But thanks a lot for your thoughts (also to Jakob and Viktor)! :) Cheers, Toby. -- To the systems programmer, users and applications serve only to provide a test load.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
