Question about migrating from d2i_ECPrivateKey() to d2i_PrivateKey(EVP_PKEY_EC, ...)
Nico Williams
nico at cryptonector.com
Sun Nov 20 20:12:34 UTC 2022
On Sat, 19 Nov 2022 01:26:38 -0500, Viktor Dukhovni wrote:
> Often, if you want a clear example of OpenSSL API usage, one place to
> look is the Postfix "tls" library. In this case:
>
> https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L245-L266
> https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L363-L370
Yes, I should not forget to look there first. I did look a lot at
OpenSSL internals though.
> Generally, I would expect d2i_... to automatically detect the algorithm
> when tagged with a suitable OIDs, and so d2i_AutoPrivateKey() could
> often work, but if you know the expected key type, you can ask for
> that explicitly with d2i_PrivateKey().
I figured it out. So, d2i_PrivateKey() wants a PKCS#8 wrapper so it can
figure out what the type of the private key blob is. On the other hand,
d2i_PublicKey() wants the input key to indicate the type of public key
to import. A strange asymmetry, but it works. Staring at Postfix and
OpenSSL code helped.
> I strive to also check that the buffer pointer advanced by the expected
> length (no "left-over" data):
>
> https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L293-L306
Yes, indeed. If you glanced at my WIP code, it's not ready.
Nico
--
More information about the openssl-users
mailing list