[openssl-users] Question as to best options....
Karl Denninger
karl at denninger.net
Tue Dec 26 20:56:13 UTC 2017
On 12/26/2017 14:07, Kurt Roeckx wrote:
> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
>>> So if you put locks around the SSL_CTX object when it’s used, then you
>>> can use the set private key call to update the key; and then all
>>> SSL_new objects afterwards will use the new credentials. Does that
>>> meet your need?
>>>
>> Yes, that I already know how to do. The issue is how to get the key
>> from a PEM file into a format that I can feed it with set private key.
>> There doesn't appear to be a means to "un-file-ify" the set private key
>> functions.
> You can use the d2i_PrivateKey and i2d_PrivateKey functions to read
> and write the file.
>
>>>> "is there a decent way to convert a PEM or DER private key file into
>>> ASN.1" using OpenSSL calls (from a "C" program, not from the command
>>> line; we'll assume I have the key and cert files already.)
>>>
>>> I assume you mean “native C structure” and not ASN1? Because DER is
>>> just the ASN1 serialized, and PEM is base64 encoded DER with marker
>>> lines. …
>>>
>>>
>>>
>> So if I take a PEM private key file, strip the markers, and turn the
>> actual key's base64 into binary (assuming an RSA key, so there's no "EC
>> parameter" block in front) I now have an "opaque" unsigned character
>> array of length "len" (the decoded Base64) which
>> SSL_CTX_use_privateKey_ASN1 will accept? (Assuming the key file is
>> unencrypted, of course.)
>>
>> What is the parameter "pk" passed to the call in that instance (it's not
>> in the man page)
> From the manpage:
> SSL_CTX_use_PrivateKey_ASN1() adds the private key of type _pk_
>
> So you would need to know that it's an RSA or EC key. If you used
> d2i_AutoPrivateKey you don't need to know the type and get an
> EVP_PKEY.
>
>
> Kurt
Thanks - I suspect I have enough to get things rolling :-)
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171226/3e49bc88/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171226/3e49bc88/attachment.bin>
More information about the openssl-users
mailing list