[openssl-users] get type of PEM data
Jakob Bohm
jb-openssl at wisemo.com
Thu Mar 29 09:19:31 UTC 2018
On 29/03/2018 10:08, Richard Levitte wrote:
> In message <1ce93d56-6fa4-1bae-d440-5ab843900e40 at jordan.maileater.net> on Wed, 28 Mar 2018 17:10:40 -0700, Jordan Brown <openssl at jordan.maileater.net> said:
>
> openssl> Matt: Indeed, looks very promising. Now if only we were on
> openssl> 1.1.1 :-(. I'm a little surprised that it doesn't read from a
> openssl> BIO.
>
> It's certainly possible to add such an API. As a matter of fact, we
> do have that internally, specifically for PEM files... have a look in
> 1.1.1's crypto/include/internal/store_int.h. That's not the initial
> intention with the API, though...
>
> Also, I can't quite shake the feeling that a BIO API would be a bit
> shaky. Internally, the file: scheme loader opens all files in binary
> mode, as it's designed to detect if the file is a PEM file or raw DER,
> so the question remains, if we would open up a BIO STORE API, what are
> th expectations? Will people open such files in binary mode at all
> times? Should that be a content type agnostic interface (i.e. should
> it detect if the file is PEM or raw DER), or should there be separate
> functions for PEM and raw DER content?
>
> Please note that for each question, we're getting further and further
> away from the idea of having an interface where the caller doesn't
> need to know much more than how to indicate where to load stuff from,
> to an API that almost becomes a 1:1 mapping of PEM and d2i functions.
> When we've come that far, what have we gained?
> But I dunno... I'm ambivalent around these ideas, and considering
> those internal functions I mentioned, we do have some kind of base set
> up already, so it would probably not be that hard to open up that kind
> of functionality to the public. Perhaps as a side thing, like STORE
> UTILS?
>
In general, if there is an API that can load something from a file,
there should be a matching API that can load it from a BIO (in fact,
the file API could/should be a wrapper for the the BIO API).
Typical use would be for a program to set up a BIO type that loads
from something program specific, such as compiled-in "resources" or
a compressed format or a database or ..., and then proceed directly
without storing in temporary files and risking race conditions against
malicious outside manipulation.
For URL support, it would also make sense to allow the caller to
substitute their own URL/protocol library via the BIO interface if the
application already has its own library for that (as many, but not all,
network applications are likely to anyway).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list