This is a discussion on Re: -keyex or -keysig pkcs12 option - Openssl ; Hello, > > Would somebody have an updated description for the flags > [-keyex|-keysig] of the pkcs12 command? > > The man page is rather outdated and maybe even wrong. > > QUOTE > specifies that the private key is ...
> Would somebody have an updated description for the flags
> [-keyex|-keysig] of the pkcs12 command?
> The man page is rather outdated and maybe even wrong.
> specifies that the private key is to be used for key exchange or just
> signing. This option is only interpreted by MSIE and similar MS
> software. Normally ``export grade'' software will only allow 512 bit
> RSA keys to be used for encryption purposes but arbitrary length keys
> for signing. The -keysig option marks the key for signing only.
> Signing only keys can be used for S/MIME signing, authenticode
> (ActiveX control signing) and SSL client authentication, however due
> to a bug only MSIE 5.0 and later support the use of signing only keys
> for SSL client authentication.
> For SSL client authentication, I'd expect that a private key for key
> exchage should be used (-keyex), rather than a signing key (-keysig).
> Any comment?
I think that this man page is correct.
When client authentication take place, special packet called
CLIENT_VERIFY is sent from client to server. This packet consists
of two hash values signed with client private key (this means
of course: encrypted with client private key).
Server decrypts this packet (with client public key send before
with CERTIFICATE packet), calculates its own hash values
As you see, in client authentication only signing is used
(encrypting with client private key) to prove client identity.
You may look for more details in SSL 3.0 specification
(Certificate verify 7.6.8)
In SSL3/TLS1 encryption is used to send for example from client
to server pre_master_key in CLIENT_KEY_EXCHANGE (encrypted
in server RSA public key).
This packet is decrypted on server (with server RSA private key)
and pre_master_secret value is used for master_secret calculation.
And this process may be "export restricted".
OpenSSL Project http://www.openssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com