[openssl-users] Question as to best options....

Karl Denninger karl at denninger.net
Tue Dec 26 18:38:32 UTC 2017

So let's assume I have system A and B.

System A has some store of certificates and keys.  We'll assume they're
in either PEM or DER format and OpenSSL generated them.

System B is going to get passed one or both via a mechanism (e.g. over a
TLS connection that it has validated as being "ok" with appropriate
cipher and certificate chase, so it's reasonably convinced it's talking
to who it thinks it is), and then wishes to install them into executing
software so OpenSSL can use them for THAT system to do something with
(e.g. take connections from a third machine, sign objects, etc.)  I
already know how do the "do something" part with OpenSSL.  System B does
*NOT* want to store these persistently on the disk somewhere (even

What I'm trying to figure out is the "best" way to handle this. 
SSL_CTX_use_PrivateKey accepts a EVP_PKEY pointer,
SSL_CTX_use_PrivateKey_ASN1 takes an ASN1 structure of length len, but
what is parameter "pk" (not explained in the man page) and this assumes
I have an ASN.1.....

I would assume that doing wonky things with EVP_PKEY (like digging into
the structure once loaded, grabbing it and transmitting it) is a
severely bad idea as the structure may change (e.g. EVP_PKEY is intended
to be an opaque structure from a user code perspective.)

So that leaves the obvious question as "is there a decent way to convert
a PEM or DER private key file into ASN.1" using OpenSSL calls (from a
"C" program, not from the command line; we'll assume I have the key and
cert files already.)

Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>

/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171226/ca5a3a2e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171226/ca5a3a2e/attachment-0001.bin>

More information about the openssl-users mailing list