[openssl-users] Programmatically check private key and public key cert?

Karl Denninger karl at denninger.net
Thu Jan 11 15:41:04 UTC 2018


On 1/11/2018 09:28, pratyush parimal wrote:
> Hi,
>
> Hope everyone is having a good new year so far!
>
> I'm trying to find a way to make sure that a
> private-key/public-key-cert pair I'm given, will absolutely work when
> I stick  them into my SSL_CTX* object and try to use that for ssl.
> Short of trying to simulate a test ssl connection over localhost for
> testing them out, is there a way to ensure that?
>
> After googling, it seems that I may be able to verify that by
> comparing the modulus from the key and the cert. Does anyone know if
> that's sufficient, and how to do it programmatically?
If you call SSL_CTX_check_private_key() on your context it will return
"0" if the private key and certificate you have loaded do not match (and
thus won't work.)  If you get a "1" back then provided you have a set of
ciphers declared (or the defaults) that are compatible on both ends so
the code can negotiate a cipher set then it should work.

There is no guaranteed way to know if a connection will work from some
other piece of code you don't control, however, because it's entirely
possible for the other end to try to insist on (or only be able to
support) a protocol you have disallowed (e.g. SSLv3) or for there to be
no intersection between the cipher sets allowed by both sides and the
certificate and key constraints (never mind certificate validation, if
you are checking it.)

>
> I was also wondering if I should just try to perform an
> encrypt-decrypt sequence using the pair I have, and use the success of
> that as confirmation that my ssl connection will work later, as far as
> the certs are concerned. Would that be the right way to go about it?
>
IMHO see above.

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180111/9de5f1b7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180111/9de5f1b7/attachment-0001.bin>


More information about the openssl-users mailing list