[openssl-users] Question as to best options....

Karl Denninger karl at denninger.net
Thu Dec 28 22:15:20 UTC 2017

On 12/26/2017 14:07, Kurt Roeckx wrote:
> On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:
>> On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:
>>> So if you put locks around the SSL_CTX object when it’s used, then you
>>> can use the set private key call to update the key; and then all
>>> SSL_new objects afterwards will use the new credentials.  Does that
>>> meet your need?
>> Yes, that I already know how to do.  The issue is how to get the key
>> from a PEM file into a format that I can feed it with set private key. 
>> There doesn't appear to be a means to "un-file-ify" the set private key
>> functions.
> You can use the d2i_PrivateKey and i2d_PrivateKey functions to read
> and write the file.
>>>> "is there a decent way to convert a PEM or DER private key file into
>>> ASN.1" using OpenSSL calls (from a "C" program, not from the command
>>> line; we'll assume I have the key and cert files already.)
>>> I assume you mean “native C structure” and not ASN1?  Because DER is
>>> just the ASN1 serialized, and PEM is base64 encoded DER with marker
>>> lines. …
>> So if I take a PEM private key file, strip the markers, and turn the
>> actual key's base64 into binary (assuming an RSA key, so there's no "EC
>> parameter" block in front) I now have an "opaque" unsigned character
>> array of length "len" (the decoded Base64) which
>> SSL_CTX_use_privateKey_ASN1 will accept?  (Assuming the key file is
>> unencrypted, of course.)
>> What is the parameter "pk" passed to the call in that instance (it's not
>> in the man page)
> From the manpage:
> SSL_CTX_use_PrivateKey_ASN1() adds the private key of type _pk_
> So you would need to know that it's an RSA or EC key. If you used
> d2i_AutoPrivateKey you don't need to know the type and get an
> Kurt
Not sure what I'm doing wrong here but obviously its something!

certtemp = *char
certstore = unsigned char*  (Both with enough allocated memory to hold
the required data, of course)
const unsigned char *p;

certstore has the Base64 key in it (checked manually, I am reading it
properly from the key file with the barrier lines and line feeds omitted.)


        strcpy((char *) certstore, certtemp);
        p = certstore;
        key = d2i_AutoPrivateKey(NULL, &p, strlen(certtemp));
        if (key == NULL) {
                ERR_error_string(ERR_get_error(), tmp);
>>           return(NULL);


But I get

$4 = 0xbf3f9b90 "error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag"
in tmp and a NULL key return from d2i_AutoPrivateKey at the ">>" breakpoint.

If I convert the base64 to binary first -- using the Base64 routine in
OpenSSL (which I know I've coded correctly as the code in question uses
it elsewhere to decode a MIME attachment) and pass a binary buffer and
the length of that buffer (instead of a base64 buffer and its length) I
still get NULL back for the EVP_PKEY structure and the same error text
in tmp.

If I load that same key file with (having put the path to the key file
in tmp) with:

if (SSL_CTX_use_PrivateKey_file(www_context, tmp, SSL_FILETYPE_PEM) < 0)

It loads and works.

What's even MORE odd is that if I do this with the SAME key data I just
loaded in base64 (knowing it's an RSA key):

         len = (strlen(certtemp) * 3) / 4 +1;
         cbin = decode_base64(certtemp, strlen(certtemp));
         if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, www_context,
cbin, len)) {
             ERR_error_string(ERR_get_error(), tmp);

THAT loads (the use_PrivateKey_ASN1 call returns zero -- and thus
obviously likes what I passed it)

There's probably something obvious I'm missing on what I'm doing wrong
with the d2i call -- any quick hit pointers welcome....

Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171228/2dfbf225/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171228/2dfbf225/attachment-0001.bin>

More information about the openssl-users mailing list