Re: How to convert from PEM to DER format?
Thanks Dave, EVP_DecodeBlock did the magic. -Sri On Tue, Feb 5, 2013 at 5:47 AM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Srivardhan Hebbar Sent: Tuesday, 29 January, 2013 04:57 I have a string which has the certificate in PEM(Base64) format. I want to convert it to DER format(unsigned char). How can I do it? I wrote the following code:snip This code is failing. Am getting 'x' always null. PEM is not just base64. PEM is base64 plus header and trailer lines, here -BEGIN CERTIFICATE and -END CERTIFICATE- . Do you have that? If not, either: - add the header and trailer lines, then PEM_read and i2d as now -- except there is no guarantee that a (DER) certificate fits in 4K bytes. Reasonable DNs, and practically usable pubkey and signature, can't be much more than 1K, but CAs can, and some do, add the most mind-boggling crud in extensions. Either call i2d_(,NULL) first to determine the length and allocate that; or call it and check the length fits in your fixed size before doing i2d_(,buffer); or check the PEM (or just the base64) before decoding is not more than about 5.3KC (which does guarantee the binary fits in 4KB). - decode the base64 to binary directly. With OpenSSL you can read it through a b64-BIO, or (undocumented) just call EVP_DecodeBlock, or you can decode b64 in about 20 lines of C (maybe 10 if you don't care about handling errors). Unlike the above approach this does not check your data contains a facially-valid cert (that is, it is correctly structured and all required fields exist, but we don't know if it was properly signed by a trusted CA and not expired or revoked). But if you subsequently use the DER cert for anything, presumably that will at least decode it and hopefully verify/validate it. Aside: you could save some copies by creating a readonly mem-BIO directly on the c++ std::string's internal buffer, instead of .c_str() which may need to copy and BIO_puts which definitely does. But unless you have many (or huge) certs this shouldn't matter much. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to convert from PEM to DER format?
Hi,
I have a string which has the certificate in PEM(Base64) format. I want to
convert it to DER format(unsigned char). How can I do it?
I wrote the following code:
BIO *certBio = BIO_new(BIO_s_mem());
int len = BIO_puts(certBio,value.c_str());
if (len 1) {
BIO_free(certBio);
return ERROR;
}
BIO *bp = certBio;
X509 *x = PEM_read_bio_X509(bp,NULL,0,NULL);
if (NULL == x) {
BIO_free(certBio);
return ERROR;
}
unsigned char *certUc = (unsigned char *) malloc (4 * 1024);
unsigned char *out = certUc;
len = i2d_X509(x,out);
if (len 1) {
BIO_free(certBio);
X509_free(x);
free(certUc);
return ERROR;
}
This code is compiled using c++ compiler. 'value' is a String which has the
certificate in base64 encoded format.
This code is failing. Am getting 'x' always null. Can anyone pls help me.
I want a DER encoded certificate in unsigned char format from the String.
Can anyone tell me the way.
Thank-you,
Sri
Re: How to remove certificate from X509_STORE?
Thanks Dave, I tried with the 2nd option. But people here didn't agree so finally went ahead with the 3rd option. Thanks for soln. Sri On Fri, Jan 11, 2013 at 3:25 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Srivardhan Hebbar Sent: Tuesday, 08 January, 2013 08:34 X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted store? Or is there a way to make a already loaded certificate an untrusted one? I presume you mean an SSL_CTX and certs trusted for SSL authentication. (OpenSSL can use, and trust, certs for other purposes.) 1. An X509 object representing a cert in OpenSSL has an associated aux field of OpenSSL-added data including (optionally?) some trust settings. There are too many twisty passages for me to track down exactly what values can be in here, and what if any does what you want. 2. The data in an X509_STORE is just a STACK_OF(X509_OBJECT). I don't see any official API, but you could just grab x-objs and sk_*_delete from it. You probably need to do downref/free to avoid a leak, and to do locking if your program(s) will or might use this while multithreading. 3. If you want an official if clumsy way, create a new X509_STORE, initialize and fill it with everything from the existing one except the cert(s) you want to omit, and then use it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is there a function to remove cert from X509_Store.
Hi, X509_STORE_add_cert() adds certificate to the trusted store. Is there a function to remove this added certificate from this store? Can anybody respond pls. Thank-you, Sri
Fwd: How to remove certificate from X509_STORE?
Hi, X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted store? Or is there a way to make a already loaded certificate an untrusted one? Thank-you, Sri
How to remove certificate from X509_STORE?
Hi, X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted store? Or is there a way to make a already loaded certificate an untrusted one? Thank-you, Sri
