Securing Passphrase
CADP for C allows you to use obfuscated, secured (using a callback function), or plaintext passphrase.
Obfuscated Passphrase
Note
• On succesful installation (using SSL protocol) of CADP_for_C , the installer sets the Passphrase_Encrypted=yesautomatically in the CADP_CAPI.properties and CADP_PKCS11.properties files.
• If you have generated the certificate manually and encrypted the private key with the passphrase, you can also encrypt the passphrase using the PassPhraseSecure utility. In this case, you need to set Passphrase_Encrypted=yes in the CADP_CAPI.properties or CADP_PKCS11.properties files.
To obfuscate the passphrase and store the obfuscated value in the Passphrase parameter:
The parameters with PassPhraseSecure Utility allows the user to give different inputs to the utility. Following parameters are used:
PassPhraseSecure -txt <TextToBeObfuscated> - Allows the user to provide input as text and display the obfuscated value.
Note
If the text to (be obfuscated) contains whitespaces then it must be provided within double quotes (" ").
For example:
[et-apps@localhost bin]$ ./PassPhraseSecure -txt "hello, input to passpharase" 41058116C2572937869274FC1BD81EDB75AF95182F62870815220A3890B3BD6C
Note
The length of the text to be obfuscated must be <=1023 characters, excluding leading and trailing whitespaces. Any leading and trailing whitespaces are removed from the text before obfuscation.
PassPhraseSecure -file <FileName> - Allows the user to provide input from a file and display the obfuscated value. The FileName could be the name and path of the file from which the text is to be obfuscated.
For example:
[et-apps@localhost bin]$ ./PassPhraseSecure -file test.txt 66A09CF4974DB15B1E3C22F89912338ENote
There is no restriction on the length of the file. However, only first line from the file is obfuscated irrespective of the file length.
PassPhraseSecure -help - Displays the help, to use this utility, on the console.
For example:
[et-apps@localhost bin]$ ./PassPhraseSecure -help Usage : Passphrase -help -- To print this help Passphrase -txt <TextToBeObfuscated> -- Obfuscates the provided text Passphrase -file <FileName> -- Obfuscates first line of the file provided in file nameIf user does not provide any parameter with the utility, the
-helpparameter output is displayed.
Secured Passphrase
You can use the I_C_SetPassPhraseCallback() function to secure the passphrase. This function can be used to get the passphrase using a user-specified callback function. The I_C_SetPassPhraseCallback() function can only be used when Passphrase_Encrypted=no. When the I_C_SetPassPhraseCallback() function is called, it sets the callback function to get the passphrase. In this case, the plaintext passphrase stored in the Passphrase parameter is ignored.
Example
The following is an example of using secured passphrase functionality:
char str[100] = {0,};
char * getstring (void *arg)
{
printf("\nPlease enter password for private key [%s] : ",(char*)arg);
scanf("%s",str); // Some other way can be used to read secure password from User Interface
return str;
} // Before calling I_C_OpenSession, the following function should be called to set a
callback
for passphrase.
rc = I_C_SetPassPhraseCallback(getstring);
if (rc != I_E_OK)
{ fprintf(stderr, "
I_C_SetPassPhraseCallback error: %
s\n", I_C_GetErrorString(rc));
return rc;
}
This causes the password to be dynamically collected when reading Key_File while establishing SSL connection with the server. Here, getstring is the user-specified function that provides the user with a customized approach to secure/get the passphrase. For details on the I_C_SetPassPhraseCallback() function, refer to the CADP for C CAPI API Guide.
Plaintext Passphrase
When Passphrase_Encrypted is set to no, and the callback function is not used, the Passphrase parameter stores the password in plaintext for the private key. Storing the password in plaintext on the system is against a good security practice, as it might compromise the security of the private key.
Note
It is strongly recommended to use secured or obfuscated passphrase.
