Re: Reading certificate from structure using d2i_X509??
On Tue, Mar 11, 2003 at 01:54:55PM -0800, rajagopalan ramanujam wrote: > > hi, > > I am having a problem when reading a certificate and > private key from a memory buffer instead of a file. > i am using d2i_X509(NULL,&cert,strlen(cert)) to read > the certificate string which was defined in one of > .pem > file. Should i use SSL_CTX_use_certificate_ASN1 > instead??? Please help me. > > copied from server.pem file > unsigned char * cert > ="MIIDDzCCAs2gAwIBAgICAQw=="; > unsigned char * key = > "y5qH6Q0Nvb5SUcJEYY...p6=="; Incorrect. This is PEM format, d2i_* expected DER/binary input use: % openssl x509 -in server.pem -noout -C > server_cert.c will produce some like this: [cut] unsigned char XXX_certificate[1592]={ 0x30,0x82,0x06,0x34,0x30,0x82,0x05,0x1C,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x0D, [cut] > > here is my sample server code : > > void ssl_server () > { > >SSL_CTX* ctx; > SSL* ssl; > X509*client_cert,*x509_cert,*x509_key; > char*str; > SSL_METHOD *meth; > int theFd; > fd_set theFdSet; > > /* SSL preliminaries. We keep the certificate and > key with the context. */ > > SSL_load_error_strings(); > SSLeay_add_ssl_algorithms(); > meth = SSLv23_server_method(); > ctx = SSL_CTX_new (meth); > > x509_cert = d2i_X509(NULL,&cert,strlen(cert)); > > if (SSL_CTX_use_certificate(ctx,x509_cert) <= 0) { > return; > } > > x509_key = d2i_X509(NULL,&key,sizeof(key)); > > if (SSL_CTX_use_PrivateKey(ctx,x509_key) <= 0) { > return; > } > > if (!SSL_CTX_check_private_key(ctx)) { > printf("Private key does not match the certificate > public key\n"); > return; > } > > . > . > } > > when d2i_X509 its failing for the following reason. > IMPLEMENT_ASN1_FUNCTIONS(X509) > ASN1_VALUE *ASN1_item_d2i(..) > asn1_check_tlen(..) > ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); > return 0; here is sample code: X509 * get_cert( void) { unsigned char *der = XXX_certificate; X509*crt = NULL; if ( NULL == ( crt = X509_new())) { /* Ops, out-of-memory? */ return NULL; } return d2i_X509( &crt, &der, sizeof( XXX_certificate)); } > > > __ > Do you Yahoo!? > Yahoo! Web Hosting - establish your business online > http://webhosting.yahoo.com > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > -- regards Valentin Zahariev CTO E-CARD Ltd. http://www.e-card.bg PGP keyID: 0xC005C5CA Key fingerprint = F3 46 26 21 8F F0 5E 19 5B B3 34 08 24 9E 71 13 C0 05 C5 CA http://certs.e-card.bg:11371/pks/lookup?op=get&search=0xC005C5CA pgp0.pgp Description: PGP signature
Re: Reading certificate from structure using d2i_X509??
On Tue, Mar 11, 2003 at 01:54:55PM -0800, rajagopalan ramanujam wrote: > hi, > > I am having a problem when reading a certificate and > private key from a memory buffer instead of a file. > i am using d2i_X509(NULL,&cert,strlen(cert)) to read > the certificate string which was defined in one of > .pem > file. Should i use SSL_CTX_use_certificate_ASN1 > instead??? Please help me. > > copied from server.pem file > unsigned char * cert > ="MIIDDzCCAs2gAwIBAgICAQw=="; > unsigned char * key = > "y5qH6Q0Nvb5SUcJEYY...p6=="; Your data are in PEM format (the data is ASCII-armored with BASE64). The d2i_ functions require the data to be in ASN.1 (DER) format. You must therefore first decode from the BASE64 armoring. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reading certificate from structure using d2i_X509??
On Tue, Mar 11, 2003, rajagopalan ramanujam wrote: > Thanks steve!! > > Can i use these to function calls to convert? > >PEM_read_bio_X509 >PEM_read_bio_PrivateKey > > If you include all the newlines in the base64 encoded structure and create a memory BIO from the string using BIO_new_mem_buf(), see the BIO_s_mem manual page. Using binary and DER is more efficient though. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reading certificate from structure using d2i_X509??
Thanks steve!! Can i use these to function calls to convert? PEM_read_bio_X509 PEM_read_bio_PrivateKey --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Tue, Mar 11, 2003, rajagopalan ramanujam wrote: > > > > > hi, > > > > I am having a problem when reading a certificate > and > > private key from a memory buffer instead of a > file. > > i am using d2i_X509(NULL,&cert,strlen(cert)) to > read > > the certificate string which was defined in one of > > .pem > > file. Should i use SSL_CTX_use_certificate_ASN1 > > instead??? Please help me. > > > > copied from server.pem file > > unsigned char * cert > > ="MIIDDzCCAs2gAwIBAgICAQw=="; > > unsigned char * key = > > "y5qH6Q0Nvb5SUcJEYY...p6=="; > > > > You can only use d2i_X509() with the DER (binary) > form of the certificate. > Since this can contain embedded zeroes strlen() is > not usable, you need a > separate length parameter. > > The -C option of the 'x509' utility can translate a > certificate into > appropriate C code. For other things like private > keys you need to translate > them yourself. Something like the Unix utility xxd > on the binary form can do > that. > > The stuff you have looks like base64 form with all > the newlines deleted. That > isn't parseable directly. If you'd included all the > newlines then you could > use the standard PEM routines with a memory BIO. > > Steve. > -- > Dr Stephen N. Henson. > Core developer of the OpenSSL project: > http://www.openssl.org/ > Freelance consultant see: > http://www.drh-consultancy.demon.co.uk/ > Email: [EMAIL PROTECTED], PGP key: > via homepage. > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reading certificate from structure using d2i_X509??
On Tue, Mar 11, 2003, rajagopalan ramanujam wrote: > > hi, > > I am having a problem when reading a certificate and > private key from a memory buffer instead of a file. > i am using d2i_X509(NULL,&cert,strlen(cert)) to read > the certificate string which was defined in one of > .pem > file. Should i use SSL_CTX_use_certificate_ASN1 > instead??? Please help me. > > copied from server.pem file > unsigned char * cert > ="MIIDDzCCAs2gAwIBAgICAQw=="; > unsigned char * key = > "y5qH6Q0Nvb5SUcJEYY...p6=="; > You can only use d2i_X509() with the DER (binary) form of the certificate. Since this can contain embedded zeroes strlen() is not usable, you need a separate length parameter. The -C option of the 'x509' utility can translate a certificate into appropriate C code. For other things like private keys you need to translate them yourself. Something like the Unix utility xxd on the binary form can do that. The stuff you have looks like base64 form with all the newlines deleted. That isn't parseable directly. If you'd included all the newlines then you could use the standard PEM routines with a memory BIO. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Reading certificate from structure using d2i_X509??
hi, I am having a problem when reading a certificate and private key from a memory buffer instead of a file. i am using d2i_X509(NULL,&cert,strlen(cert)) to read the certificate string which was defined in one of .pem file. Should i use SSL_CTX_use_certificate_ASN1 instead??? Please help me. copied from server.pem file unsigned char * cert ="MIIDDzCCAs2gAwIBAgICAQw=="; unsigned char * key = "y5qH6Q0Nvb5SUcJEYY...p6=="; here is my sample server code : void ssl_server () { SSL_CTX* ctx; SSL* ssl; X509*client_cert,*x509_cert,*x509_key; char*str; SSL_METHOD *meth; int theFd; fd_set theFdSet; /* SSL preliminaries. We keep the certificate and key with the context. */ SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_server_method(); ctx = SSL_CTX_new (meth); x509_cert = d2i_X509(NULL,&cert,strlen(cert)); if (SSL_CTX_use_certificate(ctx,x509_cert) <= 0) { return; } x509_key = d2i_X509(NULL,&key,sizeof(key)); if (SSL_CTX_use_PrivateKey(ctx,x509_key) <= 0) { return; } if (!SSL_CTX_check_private_key(ctx)) { printf("Private key does not match the certificate public key\n"); return; } . . } when d2i_X509 its failing for the following reason. IMPLEMENT_ASN1_FUNCTIONS(X509) ASN1_VALUE *ASN1_item_d2i(..) asn1_check_tlen(..) ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); return 0; __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]