On 12/26/2017 14:07, Kurt Roeckx wrote: > On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote: >> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote: >>> So if you put locks around the SSL_CTX object when it’s used, then you >>> can use the set private key call to update the key; and then all >>> SSL_new objects afterwards will use the new credentials. Does that >>> meet your need? >>> >> Yes, that I already know how to do. The issue is how to get the key >> from a PEM file into a format that I can feed it with set private key. >> There doesn't appear to be a means to "un-file-ify" the set private key >> functions. > You can use the d2i_PrivateKey and i2d_PrivateKey functions to read > and write the file. > >>>> "is there a decent way to convert a PEM or DER private key file into >>> ASN.1" using OpenSSL calls (from a "C" program, not from the command >>> line; we'll assume I have the key and cert files already.) >>> >>> I assume you mean “native C structure” and not ASN1? Because DER is >>> just the ASN1 serialized, and PEM is base64 encoded DER with marker >>> lines. … >>> >>> >>> >> So if I take a PEM private key file, strip the markers, and turn the >> actual key's base64 into binary (assuming an RSA key, so there's no "EC >> parameter" block in front) I now have an "opaque" unsigned character >> array of length "len" (the decoded Base64) which >> SSL_CTX_use_privateKey_ASN1 will accept? (Assuming the key file is >> unencrypted, of course.) >> >> What is the parameter "pk" passed to the call in that instance (it's not >> in the man page) > From the manpage: > SSL_CTX_use_PrivateKey_ASN1() adds the private key of type _pk_ > > So you would need to know that it's an RSA or EC key. If you used > d2i_AutoPrivateKey you don't need to know the type and get an > EVP_PKEY. > > > Kurt Not sure what I'm doing wrong here but obviously its something!
certtemp = *char certstore = unsigned char* (Both with enough allocated memory to hold the required data, of course) const unsigned char *p; certstore has the Base64 key in it (checked manually, I am reading it properly from the key file with the barrier lines and line feeds omitted.) ....... strcpy((char *) certstore, certtemp); p = certstore; key = d2i_AutoPrivateKey(NULL, &p, strlen(certtemp)); if (key == NULL) { ERR_error_string(ERR_get_error(), tmp); >> return(NULL); } ...... But I get $4 = 0xbf3f9b90 "error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag" in tmp and a NULL key return from d2i_AutoPrivateKey at the ">>" breakpoint. If I convert the base64 to binary first -- using the Base64 routine in OpenSSL (which I know I've coded correctly as the code in question uses it elsewhere to decode a MIME attachment) and pass a binary buffer and the length of that buffer (instead of a base64 buffer and its length) I still get NULL back for the EVP_PKEY structure and the same error text in tmp. If I load that same key file with (having put the path to the key file in tmp) with: if (SSL_CTX_use_PrivateKey_file(www_context, tmp, SSL_FILETYPE_PEM) < 0) {..... It loads and works. What's even MORE odd is that if I do this with the SAME key data I just loaded in base64 (knowing it's an RSA key): len = (strlen(certtemp) * 3) / 4 +1; cbin = decode_base64(certtemp, strlen(certtemp)); if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, www_context, cbin, len)) { ERR_error_string(ERR_get_error(), tmp); return(NULL); } THAT loads (the use_PrivateKey_ASN1 call returns zero -- and thus obviously likes what I passed it) There's probably something obvious I'm missing on what I'm doing wrong with the d2i call -- any quick hit pointers welcome.... -- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users