On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote: > > On 12/26/2017 13:14, Salz, Rich via openssl-users wrote: > > > > So if you put locks around the SSL_CTX object when it’s used, then you > > can use the set private key call to update the key; and then all > > SSL_new objects afterwards will use the new credentials. Does that > > meet your need? > > > Yes, that I already know how to do. The issue is how to get the key > from a PEM file into a format that I can feed it with set private key. > There doesn't appear to be a means to "un-file-ify" the set private key > functions. You can use the d2i_PrivateKey and i2d_PrivateKey functions to read and write the file. > > > "is there a decent way to convert a PEM or DER private key file into > > ASN.1" using OpenSSL calls (from a "C" program, not from the command > > line; we'll assume I have the key and cert files already.) > > > > I assume you mean “native C structure” and not ASN1? Because DER is > > just the ASN1 serialized, and PEM is base64 encoded DER with marker > > lines. … > > > > > > > So if I take a PEM private key file, strip the markers, and turn the > actual key's base64 into binary (assuming an RSA key, so there's no "EC > parameter" block in front) I now have an "opaque" unsigned character > array of length "len" (the decoded Base64) which > SSL_CTX_use_privateKey_ASN1 will accept? (Assuming the key file is > unencrypted, of course.) > > What is the parameter "pk" passed to the call in that instance (it's not > in the man page) >From the manpage: SSL_CTX_use_PrivateKey_ASN1() adds the private key of type _pk_ So you would need to know that it's an RSA or EC key. If you used d2i_AutoPrivateKey you don't need to know the type and get an EVP_PKEY. Kurt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
