How to set password connecting to a web service with client-authentication for KeyFile?

Question

I have to write a program (Delphi XE5, Indy 10: TIdHTTP & TIdSSLIOHandlerSocketOpenSSL) which can connect to a web service with client authentication. With several days of working, finally it has become success. I can connect using the authentication, setting the TIdSSLIOHandlerSocketOpenSSL’s SSLOptions.CertFile and SSLOptions.KeyFile properties. It’s fine. (I've got a pfx file from my partner, I exported it to a certificate and a private key file with OpenSSL so I use these 2 files in the program.)

I have one TButton, TMemo and TIdHTTP component on the form.

Source code (Button's click event - the IdHTTP1.Request.ContentType := '.......' line is necessary just for the communication because of the server settings):

procedure TForm1.Button1Click(Sender: TObject);
var
  URL: string;
  XML: TStrings;
  S: string;
  Req: TStream;
  SL: TStringList;
  SSL1 : TIdSSLIOHandlerSocketOpenSSL;

begin
  XML := TStringList.Create;

  XML.Add('<soap:Envelope xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" ' +
    'xmlns:soap="http://www.w3.org/2003/05/soap-envelope">');
…
  XML.Add('   <soap:Body>');
…
  XML.Add('   </soap:Body>');
  XML.Add('</soap:Envelope>');
  URL := 'https://…………………….';
  end

  Req := TStringStream.Create(XML.Text, TEncoding.UTF8);
  try
    SSL1 := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
    SSL1.SSLOptions.CertFile := 'd:\certificate.pem';
    SSL1.SSLOptions.KeyFile := 'd:\private.pem';
    SSL1.SSLOptions.Mode := sslmClient;
    try
      SSL1.SSLOptions.Method := sslvSSLv23;
      IdHTTP1.IOHandler := SSL1;
      IdHTTP1.Request.ContentType := 'application/soap+xml;charset=UTF-8;action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"';
      S := IdHTTP1.Post(URL, Req);
    finally
      SSl1.Free;
    end;
  finally
    Req.Free;
  end;

  ResultMemo.Lines.Add(Format('Response Code: %d', [IdHTTP1.ResponseCode]));
  ResultMemo.Lines.Add(Format('Response Text: %s', [IdHTTP1.ResponseText]));

  SL := TStringList.Create;
  try
    SL.Text := S;
    ResultMemo.Lines.AddStrings(SL);
  finally
    SL.Free;
  end;

end;

The problem is: my partner said this case is not the best if the file I use is not password-protected. They told me how to create a password-protected (and encrypted) file for the KeyFile with OpenSSL. When I set this password-protected file to the SSLOptions.KeyFile I get the following error message: „Could not load key, check password. error:0906A068:PEM routines:PEM_do_header:bad password read.”

I tried to set the password in the idHTTP1.Request.Password property, but the result is the same.

Question: how and where do I have to set the password for the KeyFile if I have to use a password-protected keyfile? Because I have to publish the certification files, too, the best solution would be to set the password in the program and use the password-protected KeyFile, instead of using not the password-protected KeyFile.

Thanks a lot.

Regards, Attila

Answer 1

Use the IdSSLIOHandlerSocketOpenSSL.OnGetPassword event and set it here.

procedure TForm1.IdSSLIOHandlerSocketOpenSSL1GetPassword(var Password: string); begin Password := 'thepassword'; end;