HsOpenSSL only allows you to specify a PEM decryption password when decoding a PEM file and then using sslContextSetPrivateKey with the resulting key, but HsOpenSSL can only open RSA and DSA keys this way. The better solution is to use sslContextSetPrivateKeyFile to set any private key so that all algorithms supported by the underlying OpenSSL version will be available (things like elliptic curve systems). Unfortunately HsOpenSSL doesn't expose the ability to set the default password callback/userdata needed to provide a password to this function, nor does it expose the internal functions to wrap PemPasswordSupply for use with these callbacks.
I've temporarily added bindings to the necessary functions in my connection library
The good solution would be to add a PemPasswordSupply parameter to sslContextSetPrivateKeyFile that would temporarily set the default password callback and userdata the same as is done in the PEM read implementation.
Note, sslContextSetPrivateKeyFile would need to switch to a safe import
HsOpenSSL only allows you to specify a PEM decryption password when decoding a PEM file and then using
sslContextSetPrivateKey
with the resulting key, but HsOpenSSL can only open RSA and DSA keys this way. The better solution is to usesslContextSetPrivateKeyFile
to set any private key so that all algorithms supported by the underlying OpenSSL version will be available (things like elliptic curve systems). Unfortunately HsOpenSSL doesn't expose the ability to set the default password callback/userdata needed to provide a password to this function, nor does it expose the internal functions to wrapPemPasswordSupply
for use with these callbacks.I've temporarily added bindings to the necessary functions in my connection library
https://github.com/glguy/irc-core/blob/5c4f379ecf8b40f9b9d72206a5cc9a248d224e24/hookup/src/Hookup/OpenSSL.hsc#L34-L49 https://github.com/glguy/irc-core/blob/5c4f379ecf8b40f9b9d72206a5cc9a248d224e24/hookup/src/Hookup.hs#L593-L599
The good solution would be to add a
PemPasswordSupply
parameter tosslContextSetPrivateKeyFile
that would temporarily set the default password callback and userdata the same as is done in the PEM read implementation.Note,
sslContextSetPrivateKeyFile
would need to switch to asafe
import