On Mon, Feb 11, 2013 at 5:15 PM, Dave Thompson <dthomp...@prinpay.com> wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
>> Sent: Monday, 11 February, 2013 00:41
>
>> On Mon, Feb 11, 2013 at 12:01:49AM -0500, Jeffrey Walton wrote:
>>
>> > >> I'm trying to extract a public key (subjectPublicKeyInfo)
>> > >> form an X509 certificate.
>> > >
>> > > from apps/x509.c in the openssl source:
>> > >
>> > > EVP_PKEY *pkey;
>> > >
>> > > pkey=X509_get_pubkey(x);
>>
>> This is not the subjectPublicKeyInfo. It is just the key bits, sans
>> algorithm and parameters. A common pitfall is to mistake this for
>> the subjectPublicKeyInfo or to assume that X509_pubkey_digest()
>> returns the digest of the subjectPublicKeyInfo.
>>
> Not really. EVP_PKEY has the algorithm, parameters if any, and key
> pulled apart and converted to OpenSSL form, but they are all there.
>
> ...
>
> To "write out" to a file, don't need to manage a buffer explicitly,
> can just i2d_X509_PUBKEY_{fp,bio} in one step.
Unfortunately, it appears many of those functions (macros?) are
undocumented. But I kind of know they exist, and have come across them
in s_client.c and x509.c.
https://www.google.com/#q=i2d_X509_PUBKEY+site:openssl.org
> Also i2d_$alg?PUBKEY (and PEM_write_$alg?PUBKEY) write pubkeyinfo
> from several OpenSSL internal structs including EVP_PKEY. But to
> just take existing info from a cert, your approach is more direct.
It also has the benefit of direct memory comparison without the need for BIOs.
Since I was pinning, I needed a standard presentation format to
compare the public key offered by the server with the public key I
expect (embedded within the application). I had that with PKCS#1
format and ASN.1 notation.
I could write the server's public key to a memory BIO; but I could not
load the expected key in memory from a file BIO; and there was no
BIO_cmp_data(server, file) to tell me if there was a difference in
bits (in constant time of the larger, FTW!).
In the end, it was most expedient to simply use (1)
i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert)) on the server's
certificate, (2) fopen/fseek/ftell/fread on the embedded public key,
and then (3) memcmp.
Sorry about not mentioning pinning sooner. I did not want to distract
folks from the task at hand.
Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
