[openssl-users] Is there openssl API to verify certificate content is DER or PEM format ?

Nayna Jain naynjain at in.ibm.com
Wed Jun 10 03:18:41 UTC 2015


I think I will try with X509_read_xxx and d2i_, then probably do not have
to read throu first character as 0x30.

I had few more questions.

Are all d2i_xxx type of APIs for DER format.

And if I have to operate on DER formatted certs, do I need to first convert
it to PEM and then user PEM APIs. or there are DER specific APIs also, I
didn't find though, unless they are d2i_xxx types.

Thanks & Regards,
Nayna Jain

From:	Viktor Dukhovni <openssl-users at dukhovni.org>
To:	openssl-users at openssl.org
Date:	06/09/2015 10:34 AM
Subject:	Re: [openssl-users] Is there openssl API to verify certificate
            content is DER or PEM format ?
Sent by:	"openssl-users" <openssl-users-bounces at openssl.org>

[ Please DO NOT post user questions to openssl-dev, that's rude. ]

On Tue, Jun 09, 2015 at 09:51:52AM +0530, Nayna Jain wrote:

> I need to verify if the certifiate I have received is having its content
> PEM/DER format.
> Is there any API which if given file pointer like (fp) will tell me
> it has valid format of certificate and if yes then whether it is PEM/DER
> format ?
> If no API, then what is the other way to verify this ?

If the first character of the file is 0x30 (ASN.1 sequence) it is
likely in DER form.  With stdio you can peek at that character and
use ungetc() to put it back.

The only false positives for DER will be files in which the PEM
'-----BEGIN ...-----' line is preceded by "comment" text that
happens to start with a '0'.  If your PEM files contain no "comments",
the test is always accurate.

A more robust test is to try PEM_read_X509() or PEM_read_bio_X509()
and if that fails, rewind the file, and try d2i_X509_fp() or
d2i_X509_bio().  The latter need not be tried if the first character
of the file is not 0x30.

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/ed8914a0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150610/ed8914a0/attachment.gif>

More information about the openssl-users mailing list