On 12/26/2017 14:07, Kurt Roeckx wrote: > On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote: >> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote: >>> So if you put locks around the SSL_CTX object when it’s used, then you >>> can use the set private key call to update the key; and then all >>> SSL_new objects afterwards will use the new credentials. Does that >>> meet your need? >>> >> Yes, that I already know how to do. The issue is how to get the key >> from a PEM file into a format that I can feed it with set private key. >> There doesn't appear to be a means to "un-file-ify" the set private key >> functions. > You can use the d2i_PrivateKey and i2d_PrivateKey functions to read > and write the file. > >>>> "is there a decent way to convert a PEM or DER private key file into >>> ASN.1" using OpenSSL calls (from a "C" program, not from the command >>> line; we'll assume I have the key and cert files already.) >>> >>> I assume you mean “native C structure” and not ASN1? Because DER is >>> just the ASN1 serialized, and PEM is base64 encoded DER with marker >>> lines. … >>> >>> >>> >> So if I take a PEM private key file, strip the markers, and turn the >> actual key's base64 into binary (assuming an RSA key, so there's no "EC >> parameter" block in front) I now have an "opaque" unsigned character >> array of length "len" (the decoded Base64) which >> SSL_CTX_use_privateKey_ASN1 will accept? (Assuming the key file is >> unencrypted, of course.) >> >> What is the parameter "pk" passed to the call in that instance (it's not >> in the man page) > From the manpage: > SSL_CTX_use_PrivateKey_ASN1() adds the private key of type _pk_ > > So you would need to know that it's an RSA or EC key. If you used > d2i_AutoPrivateKey you don't need to know the type and get an > EVP_PKEY. > > > Kurt Thanks - I suspect I have enough to get things rolling :-)
-- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users