On Sat, 19 Nov 2022 01:26:38 -0500, Viktor Dukhovni wrote: > Often, if you want a clear example of OpenSSL API usage, one place to > look is the Postfix "tls" library. In this case: > > https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L245-L266 > https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L363-L370 Yes, I should not forget to look there first. I did look a lot at OpenSSL internals though. > Generally, I would expect d2i_... to automatically detect the algorithm > when tagged with a suitable OIDs, and so d2i_AutoPrivateKey() could > often work, but if you know the expected key type, you can ask for > that explicitly with d2i_PrivateKey(). I figured it out. So, d2i_PrivateKey() wants a PKCS#8 wrapper so it can figure out what the type of the private key blob is. On the other hand, d2i_PublicKey() wants the input key to indicate the type of public key to import. A strange asymmetry, but it works. Staring at Postfix and OpenSSL code helped. > I strive to also check that the buffer pointer advanced by the expected > length (no "left-over" data): > > https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_certkey.c#L293-L306 Yes, indeed. If you glanced at my WIP code, it's not ready. Nico --
