[openssl-users] Question as to best options....

[Kurt Roeckx]

On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
> 
> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
> >
> > So if you put locks around the SSL_CTX object when it’s used, then you
> > can use the set private key call to update the key; and then all
> > SSL_new objects afterwards will use the new credentials.  Does that
> > meet your need?
> >
> Yes, that I already know how to do.  The issue is how to get the key
> from a PEM file into a format that I can feed it with set private key. 
> There doesn't appear to be a means to "un-file-ify" the set private key
> functions.

You can use the d2i_PrivateKey and i2d_PrivateKey functions to read
and write the file.

> > > "is there a decent way to convert a PEM or DER private key file into
> > ASN.1" using OpenSSL calls (from a "C" program, not from the command
> > line; we'll assume I have the key and cert files already.)
> >
> > I assume you mean “native C structure” and not ASN1?  Because DER is
> > just the ASN1 serialized, and PEM is base64 encoded DER with marker
> > lines. …
> >
> >
> >
> So if I take a PEM private key file, strip the markers, and turn the
> actual key's base64 into binary (assuming an RSA key, so there's no "EC
> parameter" block in front) I now have an "opaque" unsigned character
> array of length "len" (the decoded Base64) which
> SSL_CTX_use_privateKey_ASN1 will accept?  (Assuming the key file is
> unencrypted, of course.)
> 
> What is the parameter "pk" passed to the call in that instance (it's not
> in the man page)

>From the manpage:
SSL_CTX_use_PrivateKey_ASN1() adds the private key of type _pk_

So you would need to know that it's an RSA or EC key. If you used
d2i_AutoPrivateKey you don't need to know the type and get an
EVP_PKEY.


Kurt