Re: Programmatically check private key and public key cert?

[Karl Denninger <karl@xxxxxxxxxxxxx>]

On 1/11/2018 09:28, pratyush parimal wrote:

Hi,

Hope everyone is having a good new year so far!

I'm trying to find a way to make sure that a private-key/public-key-cert pair I'm given, will absolutely work when I stick  them into my SSL_CTX* object and try to use that for ssl. Short of trying to simulate a test ssl connection over localhost for testing them out, is there a way to ensure that?

After googling, it seems that I may be able to verify that by comparing the modulus from the key and the cert. Does anyone know if that's sufficient, and how to do it programmatically?

If you call SSL_CTX_check_private_key() on your context it will return "0" if the private key and certificate you have loaded do not match (and thus won't work.)  If you get a "1" back then provided you have a set of ciphers declared (or the defaults) that are compatible on both ends so the code can negotiate a cipher set then it should work.

There is no guaranteed way to know if a connection will work from some other piece of code you don't control, however, because it's entirely possible for the other end to try to insist on (or only be able to support) a protocol you have disallowed (e.g. SSLv3) or for there to be no intersection between the cipher sets allowed by both sides and the certificate and key constraints (never mind certificate validation, if you are checking it.)

I was also wondering if I should just try to perform an encrypt-decrypt sequence using the pair I have, and use the success of that as confirmation that my ssl connection will work later, as far as the certs are concerned. Would that be the right way to go about it?

IMHO see above.

--
Karl Denninger
karl@xxxxxxxxxxxxx
The Market Ticker
[S/MIME encrypted email preferred]

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users