[openssl-users] Is there openssl API to verify certificate content is DER or PEM format ?

Viktor Dukhovni openssl-users at dukhovni.org
Tue Jun 9 05:03:47 UTC 2015

[ Please DO NOT post user questions to openssl-dev, that's rude. ]

On Tue, Jun 09, 2015 at 09:51:52AM +0530, Nayna Jain wrote:

> I need to verify if the certifiate I have received is having its content in
> PEM/DER format.
> Is there any API which if given file pointer like (fp) will tell me whether
> it has valid format of certificate and if yes then whether it is PEM/DER
> format ?
> If no API, then what is the other way to verify this ?

If the first character of the file is 0x30 (ASN.1 sequence) it is
likely in DER form.  With stdio you can peek at that character and
use ungetc() to put it back.

The only false positives for DER will be files in which the PEM
'-----BEGIN ...-----' line is preceded by "comment" text that
happens to start with a '0'.  If your PEM files contain no "comments",
the test is always accurate.

A more robust test is to try PEM_read_X509() or PEM_read_bio_X509()
and if that fails, rewind the file, and try d2i_X509_fp() or
d2i_X509_bio().  The latter need not be tried if the first character
of the file is not 0x30.


More information about the openssl-users mailing list