Dr. Stephen Henson wrote: > Depends on whether you want it embedded in the executable after it has been > linked or at compile time, i.e. embedded in a C source file.
I think this is slightly off, but at link time (using the gnu tool chain) you can use: ld -b binary -r -o root.o root.pem then in your program extern const char _binary_root_pem_start[]; will contain the contents of 'root.pem'. The object table includes "_binary_root_pem_size" and "_binary_root_pem_end" but it's too early in the morning to figure out why I'm having trouble accessing those values. There should be something in the archives in mid-late 2002 (iirc). > If this is used for any kind of security you might consider obscuring the > certificate in some way, to avoid simple replacement with a hex editor. Though > a determined and knowledgeable attacker wont be so easily foiled. A determined and knowledgable attacker can subvert anything that's not in hardware. Pulling a cert from a server isn't that much harder to break given that it's trivial to set up a local DNS server that will redirect queries to the attacker's own server. (Or to simply use the same editor to replace your URL with their own.) Another attack is to attach to the process, stop it after the cert has been loaded, then replace that cert with the attacker's. One positive thing: if you're operating at this level it's trivial to use encryption and hashing to hide the cert and verify it has not altered. It's not perfect and you'll still need to embed an encryption key. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
