On Mon, Apr 07, 2008 at 06:25:21PM -0600, Tuan Vu wrote:

> Assume that I write a client app A and a server app B. A and B set up a SSL
> connection. A wants to send B some file and its signature. Once B receives
> the file and its signature, B has to verify if it's correct or not.

Once you have the SSL connection, just send the file. No need to further
encrypt or sign anything with the keys of the client or server. If you
want to securely transport data signed by yet anothe party, that makes
sense in some cases.

> I dont want A and B to exchange any signing key manually. Instead, I want to
> use A's private key/public key (agreed by both sides during the SSL
> handshake process) to sign and verify signature. Thus, after a SSL
> connection is established, from A's side, I need to get the A's private key
> (part 1). From B's side I need to get B's public key (part 2). I looked at
> the SSL document and only found EVP_PKEY *SSL_get_privatekey(SSL *ssl), can
> I use this API for part 1? If not, what else can I do. And how can I do part

This makes no sense, just do mutual authentication when you set up the
TLS session (B requests and checks A's client cert, A checks B's server
cert), then you have a secure channel and can send arbitrary data without
further encryption.

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org