<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 12/26/2017 14:07, Kurt Roeckx wrote:<br>
<blockquote type="cite" cite="mid:20171226200729.GA16584@roeckx.be">
<pre wrap="">On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
So if you put locks around the SSL_CTX object when it’s used, then you
can use the set private key call to update the key; and then all
SSL_new objects afterwards will use the new credentials. Does that
meet your need?
</pre>
</blockquote>
<pre wrap="">Yes, that I already know how to do. The issue is how to get the key
from a PEM file into a format that I can feed it with set private key.
There doesn't appear to be a means to "un-file-ify" the set private key
functions.
</pre>
</blockquote>
<pre wrap="">
You can use the d2i_PrivateKey and i2d_PrivateKey functions to read
and write the file.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">"is there a decent way to convert a PEM or DER private key file into
</pre>
</blockquote>
<pre wrap="">ASN.1" using OpenSSL calls (from a "C" program, not from the command
line; we'll assume I have the key and cert files already.)
I assume you mean “native C structure” and not ASN1? Because DER is
just the ASN1 serialized, and PEM is base64 encoded DER with marker
lines. …
</pre>
</blockquote>
<pre wrap="">So if I take a PEM private key file, strip the markers, and turn the
actual key's base64 into binary (assuming an RSA key, so there's no "EC
parameter" block in front) I now have an "opaque" unsigned character
array of length "len" (the decoded Base64) which
SSL_CTX_use_privateKey_ASN1 will accept? (Assuming the key file is
unencrypted, of course.)
What is the parameter "pk" passed to the call in that instance (it's not
in the man page)
</pre>
</blockquote>
<pre wrap="">
From the manpage:
SSL_CTX_use_PrivateKey_ASN1() adds the private key of type _pk_
So you would need to know that it's an RSA or EC key. If you used
d2i_AutoPrivateKey you don't need to know the type and get an
EVP_PKEY.
Kurt</pre>
</blockquote>
Not sure what I'm doing wrong here but obviously its something!<br>
<br>
certtemp = *char<br>
certstore = unsigned char* (Both with enough allocated memory to
hold the required data, of course)<br>
const unsigned char *p;<br>
<br>
certstore has the Base64 key in it (checked manually, I am reading
it properly from the key file with the barrier lines and line feeds
omitted.)<br>
<br>
.......<br>
<br>
strcpy((char *) certstore, certtemp);<br>
p = certstore;<br>
key = d2i_AutoPrivateKey(NULL, &p, strlen(certtemp));<br>
if (key == NULL) {<br>
ERR_error_string(ERR_get_error(), tmp);<br>
>> return(NULL);<br>
}<br>
<br>
......<br>
<br>
But I get <br>
<br>
$4 = 0xbf3f9b90 "error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag"<br>
in tmp and a NULL key return from d2i_AutoPrivateKey at the
">>" breakpoint.<br>
<br>
If I convert the base64 to binary first -- using the Base64 routine
in OpenSSL (which I know I've coded correctly as the code in
question uses it elsewhere to decode a MIME attachment) and pass a
binary buffer and the length of that buffer (instead of a base64
buffer and its length) I still get NULL back for the EVP_PKEY
structure and the same error text in tmp.<br>
<br>
If I load that same key file with (having put the path to the key
file in tmp) with:<br>
<br>
if (SSL_CTX_use_PrivateKey_file(www_context, tmp, SSL_FILETYPE_PEM)
< 0) {.....<br>
<br>
It loads and works.<br>
<br>
What's even MORE odd is that if I do this with the SAME key data I
just loaded in base64 (knowing it's an RSA key):<br>
<br>
len = (strlen(certtemp) * 3) / 4 +1;<br>
cbin = decode_base64(certtemp, strlen(certtemp));<br>
if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, www_context,
cbin, len)) {<br>
ERR_error_string(ERR_get_error(), tmp);<br>
return(NULL);<br>
}<br>
<br>
THAT loads (the use_PrivateKey_ASN1 call returns zero -- and thus
obviously likes what I passed it)<br>
<br>
There's probably something obvious I'm missing on what I'm doing
wrong with the d2i call -- any quick hit pointers welcome....<br>
<br>
-- <br>
<div class="moz-signature">Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>