How does openssl ca command get hsm password to use a private key?

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

How does openssl ca command get hsm password to use a private key?

Antonio Araujo
hi friends of openssl,
first of all excuse me if my question is out of the
list's scope.

here is my situation:

i work in a project that use a cryptographic device,
especifically a nCipher to store private keys. i read
that openssl use engine objects to manage
cryptographics devices such nShield HSM through CHIL

openssl ca command takes some arguments like:
$ openssl ca xxx xxxx xxx -engine chil -passin env:pwd

in the previous line the source of the password is the
enviromental variable pwd.

i could see that in ca command source
openssl-0.9.7e/src/app/apps.c there are a couple of
int app_passwd(BIO *err, char *arg1, char *arg2, char
**pass1, char **pass2);
static char *app_get_pass(BIO *err, char *arg, int

the first function calls the second. the app_get_pass
function returns the password to use the engine.

what i really need is to know how openssl ca command
get the password (from an enviromental variable such
env:pwd) to sign a CSR through ENGINE engine.

i need to get the engine password to perform
cryptographics operations with my hsm like signing

the following is a piece of the code of
openssl-0.9.7e/src/app/ca.c where the private key
stored in hsm is loaded to sign a CSR:

engine setup previously done here!

if (!key)
                free_key = 1;
                if (!app_passwd(bio_err, passargin, NULL, &key,
                        BIO_printf(bio_err,"Error getting password\n");
                        goto err;
        pkey = load_key(bio_err, keyfile, keyform, 0, key, e,

                "CA private key");
        if (key) OPENSSL_cleanse(key,strlen(key));


is the key argument of load_key functions the

i need to load the private key stored in the hsm to
signing certificates.

NOTE: the cards of the nCipher nShield HSM were read
before execute openssl ca command.

could anyone give me some hint to find out how to get
the hsm password?

thanks a lot for your help.

antonio araujo


Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¬°gratis!
Reg√≠strate ya - 
OpenSSL Project                       
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]