Re: Public key handle in HSM



yadav.dhananjay@xxxxxxxxx wrote on 29/02/2008 06:16:

my main problem is How to generate public key handle in PCI
HSM(Hardware security Model) from crtificates public key.

generate is likely not the right word.
I guess you simply want to perform public key cryptography using the public key present in the cert, having that pub. key designated by a specific handle or not is certainly irrelevant - instead you can certainly use the cert file itself

using openssl, you will simply designate the cert file in the operation,
eg: openssl pkeyutl -in theCertFile.der -keyform DER -certin ...
or: openssl pkeyutl -in theCertFile.pem -keyform PEM -certin ...

I do have the cerificate but i need to import public key(hanlde) into
PCI HSM from certificate to decrypt a message.

if you actually _decrypt_ a ciphertext with a _public key_ (that everybody knows), you have a problem.
if when you to decrypt you will use a private key
if you use a public key, you want to encrypt data

I trying to use openssl to import the public key but openssl showing
following error...

AFAIK openssl has certainly nothing to do with your HSM !
are you using a specific tailored of openssl that use the HSM ?
or are you just using openssl to extract the pub file in order to import it in the HSM ?
for the later case, I'm not sure openssl provide such a function (since it use the whole cert (not the pub. key) for public key operation).
you can use: openssl pkcs7 -in cert.pem -text to dump the cert and extract yourself the public key components.


********************************************************************************
C:\OpenSSL\bin>openssl ca
Using configuration from /usr/local/ssl/openssl.cnf

so openssl is badly installed or configurated.
you shall refer to the openssl doc. and/or mail-list.
ms.public.PSDK.security is not the right place for openssl support.

Sylvain.
.



Relevant Pages

  • Re: Using CryptoAPI to do a DH key exchange with OpenSSL
    ... start to figure out what's the data difference between CAPI and OpenSSL ... to cryptoapi obviously doesn't include the blob header info. So I ... the DH public key format in CAPI. ...
    (microsoft.public.platformsdk.security)
  • Re: Using CryptoAPI to do a DH key exchange with OpenSSL
    ... But so far, CryptoAPI has gotten ... start to figure out what's the data difference between CAPI and OpenSSL ... to cryptoapi obviously doesn't include the blob header info. So I ... the DH public key format in CAPI. ...
    (microsoft.public.platformsdk.security)
  • Re: Using CryptoAPI to do a DH key exchange with OpenSSL
    ... a struct for the OpenSSL DH key blob format? ... But so far, CryptoAPI has gotten ... start to figure out what's the data difference between CAPI and OpenSSL ... the DH public key format in CAPI. ...
    (microsoft.public.platformsdk.security)
  • Re: On Open Source
    ... > make it possible to revoke either of the certificates ... You could just as easily delete the public key from your other box. ... > up using OpenSSL in a completely insecure way. ... > libraries instead of developing an application specific cryptographic ...
    (sci.crypt)
  • Re: On Open Source
    ... you could just as easily delete the public key from your other box (e.g. ... A too small API is difficult to work with for a trained professional, ... >> those things (not trained professionals, ... The point isn't that OpenSSL is flawed it is that security should ...
    (sci.crypt)