> From: owner-openssl-us...@openssl.org On Behalf Of Carlos Saldaña
> Sent: Thursday, 08 July, 2010 18:51
> I'm to openssl and PKI in general and got a problem whit decrypting
in my application.
> My partners provided me with two files: publickey.x509 and
publickey.pem
> to find a wy to send messages between server and my client application.
Do you want to do this with SSL by calling openssl? Or are you trying
to re-implement SSL, or some other (likely bad) protocol, yourself?
If you call openssl, you don't need to decode any of these files,
just give the correct files to openssl in the correct places.
> So far I've dicovered that .pem files are just base64 encoded DER
files,
> DER is the encoding for x509 files that contain the publickey among other
information.
Only partly right.
.pem files are (just) base64 of DER *plus BEGIN/END lines plus
in some cases a few more header lines*. Those can be important.
DER is part of a general-purpose international standard ASN.1,
and is the encoding for many different things used in openssl.
(And in other applications also, not relevant here.)
An X.509 certificate is *ONE* thing that is encoded in DER,
*or* in PEM-armored-DER. (There are other things in X.509,
like CRLs, that you almost certainly don't care about.
When people just say X.509, they mean an X.509 cert.)
If you are doing an SSL server, using common web ciphersuites,
you need a *private key* and a (matching) *X.509 certificate*.
The cert contains the public key, plus additional data.
We can't tell just from the file names what those files contain.
They might have given you the cert in publickey.x509 (either PEM or DER)
and the *privatekey* in publickey.pem, although that would be a poor name.
A file containing only the publickey is possible, but useless.
Presumably publickey.pem *is* PEM; what type is in its BEGIN line?
> I have the following code:
> //Get the .pem file contents
> NSString *path = [[NSBundle mainBundle] pathForResource:@"publickey"
ofType:@"pem"];
> NSString * pemString = [NSString stringWithContentsOfFile:path
encoding:NSUTF8StringEncoding error:nil];
> const char *base64Text = [pemString cStringUsingEncoding:[NSString
defaultCStringEncoding]];
I don't know much ObjectiveC, or any NextStep; does that remove the labels?
> //Base64 decode to obtain a DER representation
> char *unBase64Text = unbase64((unsigned char *)base64Text,
strlen(base64Text));
> int dataLength = strlen(unBase64Text);
Even if base64Text is correctly the base64 data from the .pem,
after un-base64-ing strlen won't work. DER encodings are binary
and contain 'null' bytes which C considers to terminate a string.
Your unbase64 procedure *MUST* tell you the decoded length.
You should better declare the unbase64-ed DER as 'unsigned char *'
(or 'unsigned char []'). Although you can cast differently-signed chars
back and forth in C, this data actually is unsigned, and on systems
where C plain char is signed, the debugger etc. will give misleading
results.
> //Get RSA representation so we can encode messages to send
back to the server
> RSA *anRSA = d2i_RSAPublicKey(0, (unsigned char **)&unBase64Text,
dataLength);
In general whenever a libcrypto routine returns an error, and most
times when a libssl routine does, you should look at the error queue:
http://www.openssl.org/support/faq.html#PROG6
Even if unBase64Text for dataLength is correctly the unbase64-ed data,
it is *very* unlikely you have a file containing an RSAPublicKey structure.
Openssl normally uses files containing a X.509 cert which contains a
publickey
for any of several algorithms, possibly with algorithm-dependent parameters;
or a "PubKeyInfo" structure which does similarly. For the latter you should
use d2i_PUBKEY[_*] to get a generic EVP structure and then get the RSA part
if necessary -- or just use the openssl EVP routines which take it as-is --
or use d2i_RSA_PUBKEY[_*] which just does those two for you.
> What could am I doing wrong?
See above.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
