Thanks Dave, EVP_DecodeBlock did the magic.
-Sri On Tue, Feb 5, 2013 at 5:47 AM, Dave Thompson <dthomp...@prinpay.com> wrote: > >From: owner-openssl-us...@openssl.org On Behalf Of Srivardhan Hebbar > >Sent: Tuesday, 29 January, 2013 04:57 > > >I have a string which has the certificate in PEM(Base64) format. > >I want to convert it to DER format(unsigned char). How can I do it? > >I wrote the following code:<snip> > >This code is failing. Am getting 'x' always null. > > PEM is not just base64. PEM is base64 plus header and trailer lines, > here -----BEGIN CERTIFICATE---- and -----END CERTIFICATE----- . > Do you have that? > > If not, either: > > - add the header and trailer lines, then PEM_read and i2d as now -- > except there is no guarantee that a (DER) certificate fits in 4K > bytes. Reasonable DNs, and practically usable pubkey and signature, > can't be much more than 1K, but CAs can, and some do, add the most > mind-boggling crud in extensions. Either call i2d_(,NULL) first to > determine the length and allocate that; or call it and check the > length fits in your fixed size before doing i2d_(,buffer); > or check the PEM (or just the base64) before decoding is not more > than about 5.3KC (which does guarantee the binary fits in 4KB). > > - decode the base64 to binary directly. With OpenSSL you can > read it through a b64-BIO, or (undocumented) just call > EVP_DecodeBlock, or you can decode b64 in about 20 lines > of C (maybe 10 if you don't care about handling errors). > Unlike the above approach this does not check your data contains > a facially-valid cert (that is, it is correctly structured and > all required fields exist, but we don't know if it was properly > signed by a trusted CA and not expired or revoked). But if you > subsequently use the DER cert for anything, presumably that will > at least decode it and hopefully verify/validate it. > > Aside: you could save some copies by creating a readonly mem-BIO > directly on the c++ std::string's internal buffer, instead of > .c_str() which may need to copy and BIO_puts which definitely does. > But unless you have many (or huge) certs this shouldn't matter much. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
