X509_get_pubkey() in OpenSSL 3.0?

Jason Schultz jetson23 at hotmail.com
Tue Nov 2 20:28:01 UTC 2021 

Victor-

I can't seem to find any documentation on SSL_CTX_get0_privatekey(), but by the name of it, it sounds like it's getting the private key; I'm trying to get the public key.

That said, I should probably explain more of why I'm doing what I'm doing, because there may be an easier way all together. Basically, we allow configuring RSA or EC certificates/keys, and I want to get the public key so I can check the type of key with a call to:

 EVP_PKEY_base_id(pubkey);

I check the return value from that against, for example, EVP_PKEY_EC to verify an EC certificate was configured, as opposed to RSA. That's the gist of it, without going into too many application specific details.

So maybe there's a better way? After I call:

 SSL_CTX_use_certificate_file(ctx,<certfile>,SSL_FILETYPE_PEM);

Is there an API I can call passing the ctx that will tell me what type of certificate is in use for that ctx? Or something else along those lines?

It's very possible I'm overcomplicating things with the fopen(), PEM_read_X509(), X509_get_pubkey() sequence, so any suggestions on how to better accomplish this verification are welcome.

Regards,

Jason


> I thought I should start a new thread since this question was buried in my "FIPS" thread and I dont' think it has anything to do with FIPS and OpenSSL providers. I'm hitting another problem that I think is related to the migration to OpenSSL 3.0, as this code works with OpenSSL 1.1.1 (and 1.0.2 before it). When looking at the documentation pages for 1.1.1 vs 3.0, I'm not seeing any differences between the OpenSSL APIs I'm calling in the 2 different release levels.
>
> Here is the sequence, I'm basically setting up my certificate and private key, both in PEM format, for the server, then I need to extract some information from them:
>
>     ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());
>     SSL_CTX_use_PrivateKey_file(ctx,<keyfile>,SSL_FILETYPE_PEM);
>     SSL_CTX_use_certificate_file(ctx,<certfile>,SSL_FILETYPE_PEM);
>     SSL_CTX_check_private_key(ctx);
>     fp = fopen(<certfile>, "r");
>     mycert = PEM_read_X509(fp, NULL, 0, NULL);
>     pkey = X509_get_pubkey(mycert);

Without addressing the question of why you're unable to get the public
key handle from the certificate, why not just:

     pkey = SSL_CTX_get0_privatekey(ctx){

and skip reading the cert again?

--
    Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211102/67515636/attachment.html>

More information about the openssl-users mailing list