[openssl-users] Question as to best options....

Karl Denninger karl at denninger.net
Tue Dec 26 19:42:57 UTC 2017

On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
> So if you put locks around the SSL_CTX object when it’s used, then you
> can use the set private key call to update the key; and then all
> SSL_new objects afterwards will use the new credentials.  Does that
> meet your need?
Yes, that I already know how to do.  The issue is how to get the key
from a PEM file into a format that I can feed it with set private key. 
There doesn't appear to be a means to "un-file-ify" the set private key
> > "is there a decent way to convert a PEM or DER private key file into
> ASN.1" using OpenSSL calls (from a "C" program, not from the command
> line; we'll assume I have the key and cert files already.)
> I assume you mean “native C structure” and not ASN1?  Because DER is
> just the ASN1 serialized, and PEM is base64 encoded DER with marker
> lines. …
So if I take a PEM private key file, strip the markers, and turn the
actual key's base64 into binary (assuming an RSA key, so there's no "EC
parameter" block in front) I now have an "opaque" unsigned character
array of length "len" (the decoded Base64) which
SSL_CTX_use_privateKey_ASN1 will accept?  (Assuming the key file is
unencrypted, of course.)

What is the parameter "pk" passed to the call in that instance (it's not
in the man page)

int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, long len);

And likewise, I can just bytewise load a DER file (e.g. read() it into a
memory buffer) and then pass that as it's simply a binary copy of the
Base64 contained within the markers (plus the EC parameters if it's an
ECDSA key)?

If so that makes it materially easier than I thought it would be....

Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171226/4aca3bf8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171226/4aca3bf8/attachment.bin>

More information about the openssl-users mailing list