Re: Simple question: Maximum length of PEM file?
Thanks Wim, for your kind informative answer. Wim Lewis-3 wrote: On 26 Jul 2011, at 10:16 PM, Katif wrote: Can you tell me what are the application dependency factor here so we'll be able to chase a limit? It is used as an RSA key exchange certification/private key pairing. Thanks... The two things that are variable size are the key material itself, and the many fields that can occur in a certificate. A private key file just has key material, so its size should be proportional to the key size in bits (plus constant overhead); a certificate has key material for the key it represents, a signature from the issuer's key (which may have a size dependent on that key's size), and an arbitrary collection of other data that can be incorporated into the certificate when it's created (such as the name or address of the subject, or a list of permitted/forbidden uses, CRL distribution points, legal boilerplate, etc). I don't think there's any limit to the amount of extension data that can be included in a certificate, though in practice it's rarely more than a few kilobytes. I'd suggest parsing a handful of files using openssl asn1parse to get an idea of what's in there and how large each thing is. The sizes and offsets that asn1parse gives you refer to the DER-encoded file; a PEM-encoded file has four bytes for every three of DER, plus another few percent overhead for line endings. As Kenneth Goldman says, though, you need to consider what will happen when you encounter a certificate larger than you expect, because it *will* happen. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Simple-question%3A-Maximum-length-of-PEM-file--tp32139325p32155520.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Simple question: Maximum length of PEM file?
Can you tell me what are the application dependency factor here so we'll be able to chase a limit? It is used as an RSA key exchange certification/private key pairing. Thanks... JoelKatz wrote: On 7/26/2011 4:38 AM, Katif wrote: I need to know in advance the maximum length of the following three PEM formatted files (excluding the -BEGIN/END lines): It's application-dependent. There is no answer in general. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Simple-question%3A-Maximum-length-of-PEM-file--tp32139325p32145362.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Simple question: Maximum length of PEM file?
On 26 Jul 2011, at 10:16 PM, Katif wrote: Can you tell me what are the application dependency factor here so we'll be able to chase a limit? It is used as an RSA key exchange certification/private key pairing. Thanks... The two things that are variable size are the key material itself, and the many fields that can occur in a certificate. A private key file just has key material, so its size should be proportional to the key size in bits (plus constant overhead); a certificate has key material for the key it represents, a signature from the issuer's key (which may have a size dependent on that key's size), and an arbitrary collection of other data that can be incorporated into the certificate when it's created (such as the name or address of the subject, or a list of permitted/forbidden uses, CRL distribution points, legal boilerplate, etc). I don't think there's any limit to the amount of extension data that can be included in a certificate, though in practice it's rarely more than a few kilobytes. I'd suggest parsing a handful of files using openssl asn1parse to get an idea of what's in there and how large each thing is. The sizes and offsets that asn1parse gives you refer to the DER-encoded file; a PEM-encoded file has four bytes for every three of DER, plus another few percent overhead for line endings. As Kenneth Goldman says, though, you need to consider what will happen when you encounter a certificate larger than you expect, because it *will* happen. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Simple question: Maximum length of PEM file?
On 7/26/2011 10:16 PM, Katif wrote: Can you tell me what are the application dependency factor here so we'll be able to chase a limit? It is used as an RSA key exchange certification/private key pairing. Thanks... Maximum RSA key size supported. Extensions supported. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Simple question: Maximum length of PEM file?
Hi, I need to know in advance the maximum length of the following three PEM formatted files (excluding the -BEGIN/END lines): Private key file, Certificate file, CA certificate file. For example - the following file has 68 characters length: -BEGIN CERTIFICATE- MIIDCDCCAfACCQDhtkeHC+WN+DANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJQ TD -END CERTIFICATE- Thanks.. -- View this message in context: http://old.nabble.com/Simple-question%3A-Maximum-length-of-PEM-file--tp32139325p32139325.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Simple question: Maximum length of PEM file?
Is that possible in general? There's no maximum key size or signature size, and certificates can have extensions. I typically read the file size first, then allocate memory, then read the file. In general, hard coding a maximum length is used to enable a buffer overflow attack. :-) owner-openssl-us...@openssl.org wrote on 07/26/2011 07:38:12 AM: From: Katif yiz...@gmail.com To: openssl-users@openssl.org Date: 07/26/2011 09:17 AM I need to know in advance the maximum length of the following three PEM formatted files (excluding the -BEGIN/END lines): Private key file, Certificate file, CA certificate file. For example - the following file has 68 characters length: -BEGIN CERTIFICATE- MIIDCDCCAfACCQDhtkeHC+WN+DANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJQ TD -END CERTIFICATE-
Re: Simple question: Maximum length of PEM file?
On 7/26/2011 4:38 AM, Katif wrote: I need to know in advance the maximum length of the following three PEM formatted files (excluding the -BEGIN/END lines): It's application-dependent. There is no answer in general. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
