Hi Stephen,

I agree about not preserving undocumented features. I couldn't find any place where the API usage is well documented so thought if stdin is allowed by the API is is probably ok to use.

I will change my usage to use a file instead of both the key and passphrase using stdin.

However if what I want is to just decrpyt the key using a passphrase and if I am running this on the system (so stdin is secure) is that a valid use to pass both on the same stream?
Also how do I know what usage is correct? Can I pass the key in file and passphrase on stdin?

thanks
kapil




Stephen Henson via RT wrote:
If we had to preserve the behaviour of every undocumented feature of
OpenSSL we'd never be able to change anything.

Among other things this has a dependency on the way the PEM routines work.

Currently they buffer the whole lot in memory and request the passphrase
afterwards.

A more efficient way would be to read in the headers, request the
passphrase at that point, then decrypt the rest on the fly.

What are you trying to do? There may be a portable way to do it.

I'm not really sure what the purpose of placing a private key and its
passphrase on the same stream are. If the stream is secure you might as
well send the unencrypted private key. If it is not secure then an
attacker could just as easily obtain the private key and passphrase.

Steve.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org