|
On 12/26/2017 14:07, Kurt Roeckx wrote:
Thanks - I suspect I have enough to get things rolling :-)On Tue, Dec 26, 2017 at 01:42:57PM -0600, Karl Denninger wrote:On 12/26/2017 13:14, Salz, Rich via openssl-users wrote:So if you put locks around the SSL_CTX object when it’s used, then you can use the set private key call to update the key; and then all SSL_new objects afterwards will use the new credentials. Does that meet your need?Yes, that I already know how to do. The issue is how to get the key from a PEM file into a format that I can feed it with set private key. There doesn't appear to be a means to "un-file-ify" the set private key functions.You can use the d2i_PrivateKey and i2d_PrivateKey functions to read and write the file."is there a decent way to convert a PEM or DER private key file intoASN.1" using OpenSSL calls (from a "C" program, not from the command line; we'll assume I have the key and cert files already.) I assume you mean “native C structure” and not ASN1? Because DER is just the ASN1 serialized, and PEM is base64 encoded DER with marker lines. …So if I take a PEM private key file, strip the markers, and turn the actual key's base64 into binary (assuming an RSA key, so there's no "EC parameter" block in front) I now have an "opaque" unsigned character array of length "len" (the decoded Base64) which SSL_CTX_use_privateKey_ASN1 will accept? (Assuming the key file is unencrypted, of course.) What is the parameter "pk" passed to the call in that instance (it's not in the man page)From the manpage: SSL_CTX_use_PrivateKey_ASN1() adds the private key of type _pk_ So you would need to know that it's an RSA or EC key. If you used d2i_AutoPrivateKey you don't need to know the type and get an EVP_PKEY. Kurt |
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
