On Mon, Feb 11, 2013 at 5:15 PM, Dave Thompson <dthomp...@prinpay.com> wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni >> Sent: Monday, 11 February, 2013 00:41 > >> On Mon, Feb 11, 2013 at 12:01:49AM -0500, Jeffrey Walton wrote: >> >> > >> I'm trying to extract a public key (subjectPublicKeyInfo) >> > >> form an X509 certificate. >> > > >> > > from apps/x509.c in the openssl source: >> > > >> > > EVP_PKEY *pkey; >> > > >> > > pkey=X509_get_pubkey(x); >> >> This is not the subjectPublicKeyInfo. It is just the key bits, sans >> algorithm and parameters. A common pitfall is to mistake this for >> the subjectPublicKeyInfo or to assume that X509_pubkey_digest() >> returns the digest of the subjectPublicKeyInfo. >> > Not really. EVP_PKEY has the algorithm, parameters if any, and key > pulled apart and converted to OpenSSL form, but they are all there. > > ... > > To "write out" to a file, don't need to manage a buffer explicitly, > can just i2d_X509_PUBKEY_{fp,bio} in one step. Unfortunately, it appears many of those functions (macros?) are undocumented. But I kind of know they exist, and have come across them in s_client.c and x509.c.
https://www.google.com/#q=i2d_X509_PUBKEY+site:openssl.org > Also i2d_$alg?PUBKEY (and PEM_write_$alg?PUBKEY) write pubkeyinfo > from several OpenSSL internal structs including EVP_PKEY. But to > just take existing info from a cert, your approach is more direct. It also has the benefit of direct memory comparison without the need for BIOs. Since I was pinning, I needed a standard presentation format to compare the public key offered by the server with the public key I expect (embedded within the application). I had that with PKCS#1 format and ASN.1 notation. I could write the server's public key to a memory BIO; but I could not load the expected key in memory from a file BIO; and there was no BIO_cmp_data(server, file) to tell me if there was a difference in bits (in constant time of the larger, FTW!). In the end, it was most expedient to simply use (1) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert)) on the server's certificate, (2) fopen/fseek/ftell/fread on the embedded public key, and then (3) memcmp. Sorry about not mentioning pinning sooner. I did not want to distract folks from the task at hand. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org