[openssl-users] Checking if an EVP_PKEY* contains a private key

Dr. Stephen Henson steve at openssl.org
Tue Dec 22 12:36:14 UTC 2015

On Tue, Dec 22, 2015, Viktor Dukhovni wrote:

> On Mon, Dec 21, 2015 at 09:29:03PM -0800, Stephen Kou wrote:
> > OpenSSL has the higher-level EVP_PKEY_* functions which work abstracts
> > the public key cryptography algorithms.  However, sometimes a EVP_PKEY*
> > only has a public key.  How could I check if a given EVP_PKEY* contains
> > a private key?
>     len = i2d_PrivateKey(key, NULL);
>     if (len <= 0) {
> 	/* No private key, or error determining its DER length */
>     } else {
> 	/* Private key available */
>     }

Interesting idea but that may actually work in some cases due to the "NULL is
absent" rule. Encoding the key to a buffer and then attempting to decode it
should be more reliable: any absent components will cause a parsing error.

However even that wont work in general because the EVP_PKEY structure might
come from an engine which doesn't set the private key components.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list