<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 12/28/2017 16:15, Karl Denninger wrote:<br>
<blockquote type="cite"
cite="mid:497540fe-1fcf-6c41-ffd7-f90bcf82dfba@denninger.net">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
On 12/26/2017 14:07, Kurt Roeckx wrote:<br>
<blockquote type="cite"
cite="mid:20171226200729.GA16584@roeckx.be">
<pre wrap="">On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
</pre>
<blockquote type="cite">
<pre wrap="">So if you put locks around the SSL_CTX object when it’s used, then you
can use the set private key call to update the key; and then all
SSL_new objects afterwards will use the new credentials. Does that
meet your need?
</pre>
</blockquote>
<pre wrap="">Yes, that I already know how to do. The issue is how to get the key
from a PEM file into a format that I can feed it with set private key.
There doesn't appear to be a means to "un-file-ify" the set private key
functions.
</pre>
</blockquote>
<pre wrap="">You can use the d2i_PrivateKey and i2d_PrivateKey functions to read
and write the file.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">"is there a decent way to convert a PEM or DER private key file into
</pre>
</blockquote>
<pre wrap="">ASN.1" using OpenSSL calls (from a "C" program, not from the command
line; we'll assume I have the key and cert files already.)
I assume you mean “native C structure” and not ASN1? Because DER is
just the ASN1 serialized, and PEM is base64 encoded DER with marker
lines. …
</pre>
</blockquote>
<pre wrap="">So if I take a PEM private key file, strip the markers, and turn the
actual key's base64 into binary (assuming an RSA key, so there's no "EC
parameter" block in front) I now have an "opaque" unsigned character
array of length "len" (the decoded Base64) which
SSL_CTX_use_privateKey_ASN1 will accept? (Assuming the key file is
unencrypted, of course.)
What is the parameter "pk" passed to the call in that instance (it's not
in the man page)
</pre>
</blockquote>
<pre wrap="">From the manpage:
SSL_CTX_use_PrivateKey_ASN1() adds the private key of type _pk_
So you would need to know that it's an RSA or EC key. If you used
d2i_AutoPrivateKey you don't need to know the type and get an
EVP_PKEY.
Kurt</pre>
</blockquote>
Not sure what I'm doing wrong here but obviously its something!<br>
<br>
certtemp = *char<br>
certstore = unsigned char* (Both with enough allocated memory to
hold the required data, of course)<br>
const unsigned char *p;<br>
<br>
certstore has the Base64 key in it (checked manually, I am reading
it properly from the key file with the barrier lines and line
feeds omitted.)<br>
<br>
.......<br>
<br>
strcpy((char *) certstore, certtemp);<br>
p = certstore;<br>
key = d2i_AutoPrivateKey(NULL, &p, strlen(certtemp));<br>
if (key == NULL) {<br>
ERR_error_string(ERR_get_error(), tmp);<br>
>> return(NULL);<br>
}<br>
<br>
......<br>
<br>
But I get <br>
<br>
$4 = 0xbf3f9b90 "error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag"<br>
in tmp and a NULL key return from d2i_AutoPrivateKey at the
">>" breakpoint.<br>
<br>
If I convert the base64 to binary first -- using the Base64
routine in OpenSSL (which I know I've coded correctly as the code
in question uses it elsewhere to decode a MIME attachment) and
pass a binary buffer and the length of that buffer (instead of a
base64 buffer and its length) I still get NULL back for the
EVP_PKEY structure and the same error text in tmp.<br>
<br>
If I load that same key file with (having put the path to the key
file in tmp) with:<br>
<br>
if (SSL_CTX_use_PrivateKey_file(www_context, tmp,
SSL_FILETYPE_PEM) < 0) {.....<br>
<br>
It loads and works.<br>
<br>
What's even MORE odd is that if I do this with the SAME key data I
just loaded in base64 (knowing it's an RSA key):<br>
<br>
len = (strlen(certtemp) * 3) / 4 +1;<br>
cbin = decode_base64(certtemp, strlen(certtemp));<br>
if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA,
www_context, cbin, len)) {<br>
ERR_error_string(ERR_get_error(), tmp);<br>
return(NULL);<br>
}<br>
<br>
THAT loads (the use_PrivateKey_ASN1 call returns zero -- and thus
obviously likes what I passed it)<br>
<br>
There's probably something obvious I'm missing on what I'm doing
wrong with the d2i call -- any quick hit pointers welcome....<br>
<br>
-- <br>
<div class="moz-signature">Karl Denninger<br>
<a href="mailto:karl@denninger.net" moz-do-not-send="true">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Ok, never mind, it appears to take the key but then when I check for
coherence between the key and certificate it says they don't
match..... so apparently it does NOT like the key load in ASN1, even
though it doesn't complain about it when I call the "use" function.<br>
<br>
Hmmmm.... <br>
<br>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>