Hard-coded keys and cert in the image

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Hard-coded keys and cert in the image

Xie Grace Jingru-LJX001

Hello,

If the privkey and cacert have to be hard-coded in the image (by using #define), how can I tell SSL to look into these constants for the key and cert instead of the default directory? Which SSL routine I need to change to let SSL know the new location of the key and certificate?

All suggestions are appreciated...!

Grace


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Hard-coded keys and cert in the image

Chong Peng
grace:

i believe what your are trying to do is what i did a few days ago. here is how you do it:

1. obtain the private key and certificate in "pem" format, e.g., by using the following openssl command:

$ openssl genrsa -out key.pem 1024
$ openssl req -new -key key.pem -out request.pem
$ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem
$ openssl x509 -inform der -in certificate.crt -out certificate.pem

this will give you a self signed private key and certificate (in pem format).

2. open the pem files (e.g., key.pem and certificate.pem) in a text editor, copy and paste the the key and certificate to a c array.

3. your c code is going to look like the following:

#include "buffer.h"
#include "pem.h"
#include "evp.h"
#include "bio.h"
#include "x509.h"

EVP_PKEY *pkey = NULL;
X509 *cert = NULL;

const char skey[] =
"-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r
iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2
MSHqQAJOfT803qTc3tPCb5k4UK5ytvwpQ8ZIyokrnQJS0FYKsonf3ASjKwIDAQAB
AoGAMR3Sv6lsze8sKs5s81cQV2iCFT0rPegGuAJRNZs+0JaWuJCJ7wNVKYtu1wa9
EDGtue3mKVB9ja83NthNML/kdOszLc1G6NVnWYSzgBPPsyPAJkSZw8TQKODmw+LF
sqGFjC73s49/lWO12Tv8qA0Zf4sXRY9dMiqX5kA5m8OWXfECQQDYkv2B1xfNK41v
PPeggVapasX53ZIiOdjc5UuaOWU7GDLhlyyFUCkDdx4eviBAEclWfNSueJNcK1Me
pulScGFTAkEA1RoXxsYgFVbZsK1i9hjxEqoWzP7dQBJTWqi/77BaPQvqX12ctVk0
pa0sR4XEKxGOBr11XJVlloTjpmm1hwLDyQJBAM25o1IpLhTZIDrgoSE4e0fngzQ9
A0m7xYLf1RclGkIuVHbykXn5kVwXVOdDF4OE4cpkPeuV4fUVuplNWCnVUr0CQBWR
a4ChwtOGE8hO9ComQhf6gQ5EaU43zJnrZGm09p0hHJqEVf0Ax1RRX57pif4166MA
/+Tb9gky7/uCzW2ZuQkCQFUoAhZnV9sQoifQpkCE10J3fZNyNLEvHKU3b4/rwvn7
5W618+Fr0DiwBkH07YSWRCVvi8rsYrK2/25DXSbXbD8=
-----END RSA PRIVATE KEY-----";

const char scert[] =
"-----BEGIN CERTIFICATE-----
MIICeTCCAeICCQDVIB2PKnpDmjANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdTQU5KT1NFMQ8wDQYDVQQKEwZNQVhY
QU4xDDAKBgNVBAsTA0VORzEOMAwGA1UEAxMFY2hvbmcxIzAhBgkqhkiG9w0BCQEW
FGNob25ncGVuZ0BtYXh4YW4uY29tMB4XDTA1MTIyMTA0MDcxNloXDTA2MDEyMDA0
MDcxNlowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHU0FO
Sk9TRTEPMA0GA1UEChMGTUFYWEFOMQwwCgYDVQQLEwNFTkcxDjAMBgNVBAMTBWNo
b25nMSMwIQYJKoZIhvcNAQkBFhRjaG9uZ3BlbmdAbWF4eGFuLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAtEhf+CU6N18337D3jT24JWerM/3/5pVDvwlL
QfIZNA0891f/a4lmoK1R46mhf8YpFhbMW8ynnEcgwzcoYDFlfHngFRqSUr5siWR+
NzFjtcwogV7ItjEh6kACTn0/NN6k3N7Twm+ZOFCucrb8KUPGSMqJK50CUtBWCrKJ
39wEoysCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBX0jTsC73wXYHDhenL2piboCMQ
qF96W/YLShYJla3ipc8JG0GHStTjUY4w7KGjDJippRUhddv0CUAilD7EPYusr1oY
sk+Tt7QKCSLnued6NZwGnjIV78BmMi5gp5UEotgmPMk6Q6WKl0rVMbiJWqgy9f7b
Hk3SUgTCdn/T+ajIFQ==
-----END CERTIFICATE-----";


int serverKey(void)
{
        BIO *bio;

        if( (bio=BIO_new_mem_buf((void *)skey, sizeof(skey))) == NULL)
        {
                return(-1);
        }

        if( (pkey=PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) == NULL)
        {
                BIO_free(bio);
                return(-1);
        }

        BIO_free(bio);

        return(0);
}

int serverCert(void)
{

        BIO *bio;

        if( (bio=BIO_new_mem_buf((void *)scert, sizeof(scert))) == NULL)
        {
                return(-1);
        }

        if( (cert=PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
        {
                BIO_free(bio);
                return(-1);
        }

        BIO_free(bio);

        return(0);

}

this piece of code worked in the embedded system i am working on, hope this helps.

chong peng

-----Original Message-----
From: Xie Grace Jingru-LJX001 [mailto:[hidden email]]
Sent: Thursday, February 09, 2006 9:47 AM
To: [hidden email]
Subject: Hard-coded keys and cert in the image



Hello,

If the privkey and cacert have to be hard-coded in the image (by using #define), how can I tell SSL to look into these constants for the key and cert instead of the default directory? Which SSL routine I need to change to let SSL know the new location of the key and certificate?

All suggestions are appreciated...!

Grace


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Hard-coded keys and cert in the image

Dr. Stephen Henson
In reply to this post by Xie Grace Jingru-LJX001
On Thu, Feb 09, 2006, Xie Grace Jingru-LJX001 wrote:

>
> If the privkey and cacert have to be hard-coded in the image (by using
> #define), how can I tell SSL to look into these constants for the key and
> cert instead of the default directory? Which SSL routine I need to change to
> let SSL know the new location of the key and certificate?
>

Well you wont get it with a #define but a variable will do. There are several
methods to do this.

The OpenSSL "x509" utility has a -C option which will output C code directly.

Alternatively you can convert the data in DER format using for example:

openssl x509 -in cert.pem -outform DER -out cert.der

then the Unix utility "xxd" can convert this to a C array. Then a d2i
ASN1 function can convert the result into an X509 structure. This X509
structure can then be used to pass the certificate to the SSL library.

A private key is similar except you use a different d2i function and get an
EVP_PKEY structure.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Hard-coded keys and cert in the image

Chong Peng
In reply to this post by Xie Grace Jingru-LJX001
forget one thing, after you have the private key (of type EVP_PKEY) and certificate (of type X509, you use:

SSL_CTX_use_certificate(ctx,cert) and SSL_CTX_use_PrivateKey(ctx, pkey)

to read them into your ssl context.

-----Original Message-----
From: Chong Peng
Sent: Thursday, February 09, 2006 5:25 PM
To: [hidden email]
Subject: RE: Hard-coded keys and cert in the image


grace:

i believe what your are trying to do is what i did a few days ago. here is how you do it:

1. obtain the private key and certificate in "pem" format, e.g., by using the following openssl command:

$ openssl genrsa -out key.pem 1024
$ openssl req -new -key key.pem -out request.pem
$ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem
$ openssl x509 -inform der -in certificate.crt -out certificate.pem

this will give you a self signed private key and certificate (in pem format).

2. open the pem files (e.g., key.pem and certificate.pem) in a text editor, copy and paste the the key and certificate to a c array.

3. your c code is going to look like the following:

#include "buffer.h"
#include "pem.h"
#include "evp.h"
#include "bio.h"
#include "x509.h"

EVP_PKEY *pkey = NULL;
X509 *cert = NULL;

const char skey[] =
"-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r
iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2
MSHqQAJOfT803qTc3tPCb5k4UK5ytvwpQ8ZIyokrnQJS0FYKsonf3ASjKwIDAQAB
AoGAMR3Sv6lsze8sKs5s81cQV2iCFT0rPegGuAJRNZs+0JaWuJCJ7wNVKYtu1wa9
EDGtue3mKVB9ja83NthNML/kdOszLc1G6NVnWYSzgBPPsyPAJkSZw8TQKODmw+LF
sqGFjC73s49/lWO12Tv8qA0Zf4sXRY9dMiqX5kA5m8OWXfECQQDYkv2B1xfNK41v
PPeggVapasX53ZIiOdjc5UuaOWU7GDLhlyyFUCkDdx4eviBAEclWfNSueJNcK1Me
pulScGFTAkEA1RoXxsYgFVbZsK1i9hjxEqoWzP7dQBJTWqi/77BaPQvqX12ctVk0
pa0sR4XEKxGOBr11XJVlloTjpmm1hwLDyQJBAM25o1IpLhTZIDrgoSE4e0fngzQ9
A0m7xYLf1RclGkIuVHbykXn5kVwXVOdDF4OE4cpkPeuV4fUVuplNWCnVUr0CQBWR
a4ChwtOGE8hO9ComQhf6gQ5EaU43zJnrZGm09p0hHJqEVf0Ax1RRX57pif4166MA
/+Tb9gky7/uCzW2ZuQkCQFUoAhZnV9sQoifQpkCE10J3fZNyNLEvHKU3b4/rwvn7
5W618+Fr0DiwBkH07YSWRCVvi8rsYrK2/25DXSbXbD8=
-----END RSA PRIVATE KEY-----";

const char scert[] =
"-----BEGIN CERTIFICATE-----
MIICeTCCAeICCQDVIB2PKnpDmjANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdTQU5KT1NFMQ8wDQYDVQQKEwZNQVhY
QU4xDDAKBgNVBAsTA0VORzEOMAwGA1UEAxMFY2hvbmcxIzAhBgkqhkiG9w0BCQEW
FGNob25ncGVuZ0BtYXh4YW4uY29tMB4XDTA1MTIyMTA0MDcxNloXDTA2MDEyMDA0
MDcxNlowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHU0FO
Sk9TRTEPMA0GA1UEChMGTUFYWEFOMQwwCgYDVQQLEwNFTkcxDjAMBgNVBAMTBWNo
b25nMSMwIQYJKoZIhvcNAQkBFhRjaG9uZ3BlbmdAbWF4eGFuLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAtEhf+CU6N18337D3jT24JWerM/3/5pVDvwlL
QfIZNA0891f/a4lmoK1R46mhf8YpFhbMW8ynnEcgwzcoYDFlfHngFRqSUr5siWR+
NzFjtcwogV7ItjEh6kACTn0/NN6k3N7Twm+ZOFCucrb8KUPGSMqJK50CUtBWCrKJ
39wEoysCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBX0jTsC73wXYHDhenL2piboCMQ
qF96W/YLShYJla3ipc8JG0GHStTjUY4w7KGjDJippRUhddv0CUAilD7EPYusr1oY
sk+Tt7QKCSLnued6NZwGnjIV78BmMi5gp5UEotgmPMk6Q6WKl0rVMbiJWqgy9f7b
Hk3SUgTCdn/T+ajIFQ==
-----END CERTIFICATE-----";


int serverKey(void)
{
        BIO *bio;

        if( (bio=BIO_new_mem_buf((void *)skey, sizeof(skey))) == NULL)
        {
                return(-1);
        }

        if( (pkey=PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) == NULL)
        {
                BIO_free(bio);
                return(-1);
        }

        BIO_free(bio);

        return(0);
}

int serverCert(void)
{

        BIO *bio;

        if( (bio=BIO_new_mem_buf((void *)scert, sizeof(scert))) == NULL)
        {
                return(-1);
        }

        if( (cert=PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
        {
                BIO_free(bio);
                return(-1);
        }

        BIO_free(bio);

        return(0);

}

this piece of code worked in the embedded system i am working on, hope this helps.

chong peng

-----Original Message-----
From: Xie Grace Jingru-LJX001 [mailto:[hidden email]]
Sent: Thursday, February 09, 2006 9:47 AM
To: [hidden email]
Subject: Hard-coded keys and cert in the image



Hello,

If the privkey and cacert have to be hard-coded in the image (by using #define), how can I tell SSL to look into these constants for the key and cert instead of the default directory? Which SSL routine I need to change to let SSL know the new location of the key and certificate?

All suggestions are appreciated...!

Grace


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Hard-coded keys and cert in the image

Alberto Alonso
In reply to this post by Dr. Stephen Henson
What would be the equivalent to do the root certificate to
be used during validation?

Basically the next step for me is not having to have the
SSL_CTX_load_verify_locations call.

The SSL_CTX_set_cert_store seems to be what I want, but I don't
find documentation on how to create the store in the first place.

Thanks,


Alberto

On Fri, 2006-02-10 at 02:33 +0100, Dr. Stephen Henson wrote:

> On Thu, Feb 09, 2006, Xie Grace Jingru-LJX001 wrote:
>
> >
> > If the privkey and cacert have to be hard-coded in the image (by using
> > #define), how can I tell SSL to look into these constants for the key and
> > cert instead of the default directory? Which SSL routine I need to change to
> > let SSL know the new location of the key and certificate?
> >
>
> Well you wont get it with a #define but a variable will do. There are several
> methods to do this.
>
> The OpenSSL "x509" utility has a -C option which will output C code directly.
>
> Alternatively you can convert the data in DER format using for example:
>
> openssl x509 -in cert.pem -outform DER -out cert.der
>
> then the Unix utility "xxd" can convert this to a C array. Then a d2i
> ASN1 function can convert the result into an X509 structure. This X509
> structure can then be used to pass the certificate to the SSL library.
>
> A private key is similar except you use a different d2i function and get an
> EVP_PKEY structure.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Hard-coded keys and cert in the image

Dr. Stephen Henson
On Sat, Feb 11, 2006, Alberto Alonso wrote:

> What would be the equivalent to do the root certificate to
> be used during validation?
>
> Basically the next step for me is not having to have the
> SSL_CTX_load_verify_locations call.
>
> The SSL_CTX_set_cert_store seems to be what I want, but I don't
> find documentation on how to create the store in the first place.
>

You don't have to create one. That is done already.

You can call SSL_CTX_get_cert_store() to retrieve it.

Once you have it you simply call X509_STORE_add_cert().

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Hard-coded keys and cert in the image

Xie Grace Jingru-LJX001
In reply to this post by Xie Grace Jingru-LJX001
Thanks Chong Peng! It worked.

The only thing I had to change was to pass in parameters in the following function calls.

Instead of:
PEM_read_bio_x509(bio, NULL, NULL, NULL);
PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)

I did:
PEM_read_bio_x509(bio, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
PEM_read_bio_PrivateKey(bio, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);


Thanks,
-Grace
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Chong Peng
Sent: Thursday, February 09, 2006 5:36 PM
To: [hidden email]
Subject: RE: Hard-coded keys and cert in the image


forget one thing, after you have the private key (of type EVP_PKEY) and certificate (of type X509, you use:

SSL_CTX_use_certificate(ctx,cert) and SSL_CTX_use_PrivateKey(ctx, pkey)

to read them into your ssl context.

-----Original Message-----
From: Chong Peng
Sent: Thursday, February 09, 2006 5:25 PM
To: [hidden email]
Subject: RE: Hard-coded keys and cert in the image


grace:

i believe what your are trying to do is what i did a few days ago. here is how you do it:

1. obtain the private key and certificate in "pem" format, e.g., by using the following openssl command:

$ openssl genrsa -out key.pem 1024
$ openssl req -new -key key.pem -out request.pem
$ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem $ openssl x509 -inform der -in certificate.crt -out certificate.pem

this will give you a self signed private key and certificate (in pem format).

2. open the pem files (e.g., key.pem and certificate.pem) in a text editor, copy and paste the the key and certificate to a c array.

3. your c code is going to look like the following:

#include "buffer.h"
#include "pem.h"
#include "evp.h"
#include "bio.h"
#include "x509.h"

EVP_PKEY *pkey = NULL;
X509 *cert = NULL;

const char skey[] =
"-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r
iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2
MSHqQAJOfT803qTc3tPCb5k4UK5ytvwpQ8ZIyokrnQJS0FYKsonf3ASjKwIDAQAB
AoGAMR3Sv6lsze8sKs5s81cQV2iCFT0rPegGuAJRNZs+0JaWuJCJ7wNVKYtu1wa9
EDGtue3mKVB9ja83NthNML/kdOszLc1G6NVnWYSzgBPPsyPAJkSZw8TQKODmw+LF
sqGFjC73s49/lWO12Tv8qA0Zf4sXRY9dMiqX5kA5m8OWXfECQQDYkv2B1xfNK41v
PPeggVapasX53ZIiOdjc5UuaOWU7GDLhlyyFUCkDdx4eviBAEclWfNSueJNcK1Me
pulScGFTAkEA1RoXxsYgFVbZsK1i9hjxEqoWzP7dQBJTWqi/77BaPQvqX12ctVk0
pa0sR4XEKxGOBr11XJVlloTjpmm1hwLDyQJBAM25o1IpLhTZIDrgoSE4e0fngzQ9
A0m7xYLf1RclGkIuVHbykXn5kVwXVOdDF4OE4cpkPeuV4fUVuplNWCnVUr0CQBWR
a4ChwtOGE8hO9ComQhf6gQ5EaU43zJnrZGm09p0hHJqEVf0Ax1RRX57pif4166MA
/+Tb9gky7/uCzW2ZuQkCQFUoAhZnV9sQoifQpkCE10J3fZNyNLEvHKU3b4/rwvn7
5W618+Fr0DiwBkH07YSWRCVvi8rsYrK2/25DXSbXbD8=
-----END RSA PRIVATE KEY-----";

const char scert[] =
"-----BEGIN CERTIFICATE----- MIICeTCCAeICCQDVIB2PKnpDmjANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdTQU5KT1NFMQ8wDQYDVQQKEwZNQVhY
QU4xDDAKBgNVBAsTA0VORzEOMAwGA1UEAxMFY2hvbmcxIzAhBgkqhkiG9w0BCQEW
FGNob25ncGVuZ0BtYXh4YW4uY29tMB4XDTA1MTIyMTA0MDcxNloXDTA2MDEyMDA0
MDcxNlowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHU0FO
Sk9TRTEPMA0GA1UEChMGTUFYWEFOMQwwCgYDVQQLEwNFTkcxDjAMBgNVBAMTBWNo
b25nMSMwIQYJKoZIhvcNAQkBFhRjaG9uZ3BlbmdAbWF4eGFuLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAtEhf+CU6N18337D3jT24JWerM/3/5pVDvwlL
QfIZNA0891f/a4lmoK1R46mhf8YpFhbMW8ynnEcgwzcoYDFlfHngFRqSUr5siWR+
NzFjtcwogV7ItjEh6kACTn0/NN6k3N7Twm+ZOFCucrb8KUPGSMqJK50CUtBWCrKJ
39wEoysCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBX0jTsC73wXYHDhenL2piboCMQ
qF96W/YLShYJla3ipc8JG0GHStTjUY4w7KGjDJippRUhddv0CUAilD7EPYusr1oY
sk+Tt7QKCSLnued6NZwGnjIV78BmMi5gp5UEotgmPMk6Q6WKl0rVMbiJWqgy9f7b
Hk3SUgTCdn/T+ajIFQ==
-----END CERTIFICATE-----";


int serverKey(void)
{
        BIO *bio;

        if( (bio=BIO_new_mem_buf((void *)skey, sizeof(skey))) == NULL)
        {
                return(-1);
        }

        if( (pkey=PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) == NULL)
        {
                BIO_free(bio);
                return(-1);
        }

        BIO_free(bio);

        return(0);
}

int serverCert(void)
{

        BIO *bio;

        if( (bio=BIO_new_mem_buf((void *)scert, sizeof(scert))) == NULL)
        {
                return(-1);
        }

        if( (cert=PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
        {
                BIO_free(bio);
                return(-1);
        }

        BIO_free(bio);

        return(0);

}

this piece of code worked in the embedded system i am working on, hope this helps.

chong peng

-----Original Message-----
From: Xie Grace Jingru-LJX001 [mailto:[hidden email]]
Sent: Thursday, February 09, 2006 9:47 AM
To: [hidden email]
Subject: Hard-coded keys and cert in the image



Hello,

If the privkey and cacert have to be hard-coded in the image (by using #define), how can I tell SSL to look into these constants for the key and cert instead of the default directory? Which SSL routine I need to change to let SSL know the new location of the key and certificate?

All suggestions are appreciated...!

Grace


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Hard-coded keys and cert in the image

Sly Upah
Sure, tomorrow though.
My kids don't give me much time to think on computer stuff here at home. ;)

In message <D5A7E45D575DD61180130002A5DB377C1036E9D8@ca25exm01>, Xie Grace Jingru-LJX001 writes:

>Thanks Chong Peng! It worked.
>
>The only thing I had to change was to pass in parameters in the following function calls.
>
>Instead of:
>PEM_read_bio_x509(bio, NULL, NULL, NULL);
>PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)
>
>I did:
>PEM_read_bio_x509(bio, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
>PEM_read_bio_PrivateKey(bio, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
>
>
>Thanks,
>-Grace
>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]] On Behalf Of Chong Peng
>Sent: Thursday, February 09, 2006 5:36 PM
>To: [hidden email]
>Subject: RE: Hard-coded keys and cert in the image
>
>
>forget one thing, after you have the private key (of type EVP_PKEY) and certificate (of type X509, you use:
>
>SSL_CTX_use_certificate(ctx,cert) and SSL_CTX_use_PrivateKey(ctx, pkey)
>
>to read them into your ssl context.
>
>-----Original Message-----
>From: Chong Peng
>Sent: Thursday, February 09, 2006 5:25 PM
>To: [hidden email]
>Subject: RE: Hard-coded keys and cert in the image
>
>
>grace:
>
>i believe what your are trying to do is what i did a few days ago. here is how you do it:
>
>1. obtain the private key and certificate in "pem" format, e.g., by using the following openssl command:
>
>$ openssl genrsa -out key.pem 1024
>$ openssl req -new -key key.pem -out request.pem
>$ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem $ openssl x509 -inform der -in certificate.crt -out certificate.
pem

>
>this will give you a self signed private key and certificate (in pem format).
>
>2. open the pem files (e.g., key.pem and certificate.pem) in a text editor, copy and paste the the key and certificate to a c array.
>
>3. your c code is going to look like the following:
>
>#include "buffer.h"
>#include "pem.h"
>#include "evp.h"
>#include "bio.h"
>#include "x509.h"
>
>EVP_PKEY *pkey = NULL;
>X509 *cert = NULL;
>
>const char skey[] =
>"-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r
>iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2
>MSHqQAJOfT803qTc3tPCb5k4UK5ytvwpQ8ZIyokrnQJS0FYKsonf3ASjKwIDAQAB
>AoGAMR3Sv6lsze8sKs5s81cQV2iCFT0rPegGuAJRNZs+0JaWuJCJ7wNVKYtu1wa9
>EDGtue3mKVB9ja83NthNML/kdOszLc1G6NVnWYSzgBPPsyPAJkSZw8TQKODmw+LF
>sqGFjC73s49/lWO12Tv8qA0Zf4sXRY9dMiqX5kA5m8OWXfECQQDYkv2B1xfNK41v
>PPeggVapasX53ZIiOdjc5UuaOWU7GDLhlyyFUCkDdx4eviBAEclWfNSueJNcK1Me
>pulScGFTAkEA1RoXxsYgFVbZsK1i9hjxEqoWzP7dQBJTWqi/77BaPQvqX12ctVk0
>pa0sR4XEKxGOBr11XJVlloTjpmm1hwLDyQJBAM25o1IpLhTZIDrgoSE4e0fngzQ9
>A0m7xYLf1RclGkIuVHbykXn5kVwXVOdDF4OE4cpkPeuV4fUVuplNWCnVUr0CQBWR
>a4ChwtOGE8hO9ComQhf6gQ5EaU43zJnrZGm09p0hHJqEVf0Ax1RRX57pif4166MA
>/+Tb9gky7/uCzW2ZuQkCQFUoAhZnV9sQoifQpkCE10J3fZNyNLEvHKU3b4/rwvn7
>5W618+Fr0DiwBkH07YSWRCVvi8rsYrK2/25DXSbXbD8=
>-----END RSA PRIVATE KEY-----";
>
>const char scert[] =
>"-----BEGIN CERTIFICATE----- MIICeTCCAeICCQDVIB2PKnpDmjANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC
>VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdTQU5KT1NFMQ8wDQYDVQQKEwZNQVhY
>QU4xDDAKBgNVBAsTA0VORzEOMAwGA1UEAxMFY2hvbmcxIzAhBgkqhkiG9w0BCQEW
>FGNob25ncGVuZ0BtYXh4YW4uY29tMB4XDTA1MTIyMTA0MDcxNloXDTA2MDEyMDA0
>MDcxNlowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHU0FO
>Sk9TRTEPMA0GA1UEChMGTUFYWEFOMQwwCgYDVQQLEwNFTkcxDjAMBgNVBAMTBWNo
>b25nMSMwIQYJKoZIhvcNAQkBFhRjaG9uZ3BlbmdAbWF4eGFuLmNvbTCBnzANBgkq
>hkiG9w0BAQEFAAOBjQAwgYkCgYEAtEhf+CU6N18337D3jT24JWerM/3/5pVDvwlL
>QfIZNA0891f/a4lmoK1R46mhf8YpFhbMW8ynnEcgwzcoYDFlfHngFRqSUr5siWR+
>NzFjtcwogV7ItjEh6kACTn0/NN6k3N7Twm+ZOFCucrb8KUPGSMqJK50CUtBWCrKJ
>39wEoysCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBX0jTsC73wXYHDhenL2piboCMQ
>qF96W/YLShYJla3ipc8JG0GHStTjUY4w7KGjDJippRUhddv0CUAilD7EPYusr1oY
>sk+Tt7QKCSLnued6NZwGnjIV78BmMi5gp5UEotgmPMk6Q6WKl0rVMbiJWqgy9f7b
>Hk3SUgTCdn/T+ajIFQ==
>-----END CERTIFICATE-----";
>
>
>int serverKey(void)
>{
> BIO *bio;
>
> if( (bio=BIO_new_mem_buf((void *)skey, sizeof(skey))) == NULL)
> {
> return(-1);
> }
>
> if( (pkey=PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) == NULL)
> {
> BIO_free(bio);
> return(-1);
> }
>
> BIO_free(bio);
>
> return(0);
>}
>
>int serverCert(void)
>{
>
> BIO *bio;
>
> if( (bio=BIO_new_mem_buf((void *)scert, sizeof(scert))) == NULL)
> {
> return(-1);
> }
>
> if( (cert=PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
> {
> BIO_free(bio);
> return(-1);
> }
>
> BIO_free(bio);
>
> return(0);
>
>}
>
>this piece of code worked in the embedded system i am working on, hope this helps.
>
>chong peng
>
>-----Original Message-----
>From: Xie Grace Jingru-LJX001 [mailto:[hidden email]]
>Sent: Thursday, February 09, 2006 9:47 AM
>To: [hidden email]
>Subject: Hard-coded keys and cert in the image
>
>
>
>Hello,
>
>If the privkey and cacert have to be hard-coded in the image (by using #define), how can I tell SSL to look into these constants for the key and ce
rt instead of the default directory? Which SSL routine I need to change to let SSL know the new location of the key and certificate?

>
>All suggestions are appreciated...!
>
>Grace
>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Hard-coded keys and cert in the image

Sly Upah
Oh, sorry, wrong list...

In message <[hidden email]>, Sly Upah writes:

>Sure, tomorrow though.
>My kids don't give me much time to think on computer stuff here at home. ;)
>
>In message <D5A7E45D575DD61180130002A5DB377C1036E9D8@ca25exm01>, Xie Grace Jingru-LJX001 writes:
>>Thanks Chong Peng! It worked.
>>
>>The only thing I had to change was to pass in parameters in the following function calls.
>>
>>Instead of:
>>PEM_read_bio_x509(bio, NULL, NULL, NULL);
>>PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)
>>
>>I did:
>>PEM_read_bio_x509(bio, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
>>PEM_read_bio_PrivateKey(bio, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
>>
>>
>>Thanks,
>>-Grace
>>-----Original Message-----
>>From: [hidden email] [mailto:[hidden email]] On Behalf Of Chong Peng
>>Sent: Thursday, February 09, 2006 5:36 PM
>>To: [hidden email]
>>Subject: RE: Hard-coded keys and cert in the image
>>
>>
>>forget one thing, after you have the private key (of type EVP_PKEY) and certificate (of type X509, you use:
>>
>>SSL_CTX_use_certificate(ctx,cert) and SSL_CTX_use_PrivateKey(ctx, pkey)
>>
>>to read them into your ssl context.
>>
>>-----Original Message-----
>>From: Chong Peng
>>Sent: Thursday, February 09, 2006 5:25 PM
>>To: [hidden email]
>>Subject: RE: Hard-coded keys and cert in the image
>>
>>
>>grace:
>>
>>i believe what your are trying to do is what i did a few days ago. here is how you do it:
>>
>>1. obtain the private key and certificate in "pem" format, e.g., by using the following openssl command:
>>
>>$ openssl genrsa -out key.pem 1024
>>$ openssl req -new -key key.pem -out request.pem
>>$ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem $ openssl x509 -inform der -in certificate.crt -out certificate.
>pem
>>
>>this will give you a self signed private key and certificate (in pem format).
>>
>>2. open the pem files (e.g., key.pem and certificate.pem) in a text editor, copy and paste the the key and certificate to a c array.
>>
>>3. your c code is going to look like the following:
>>
>>#include "buffer.h"
>>#include "pem.h"
>>#include "evp.h"
>>#include "bio.h"
>>#include "x509.h"
>>
>>EVP_PKEY *pkey = NULL;
>>X509 *cert = NULL;
>>
>>const char skey[] =
>>"-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQC0SF/4JTo3XzffsPeNPbglZ6sz/f/mlUO/CUtB8hk0DTz3V/9r
>>iWagrVHjqaF/xikWFsxbzKecRyDDNyhgMWV8eeAVGpJSvmyJZH43MWO1zCiBXsi2
>>MSHqQAJOfT803qTc3tPCb5k4UK5ytvwpQ8ZIyokrnQJS0FYKsonf3ASjKwIDAQAB
>>AoGAMR3Sv6lsze8sKs5s81cQV2iCFT0rPegGuAJRNZs+0JaWuJCJ7wNVKYtu1wa9
>>EDGtue3mKVB9ja83NthNML/kdOszLc1G6NVnWYSzgBPPsyPAJkSZw8TQKODmw+LF
>>sqGFjC73s49/lWO12Tv8qA0Zf4sXRY9dMiqX5kA5m8OWXfECQQDYkv2B1xfNK41v
>>PPeggVapasX53ZIiOdjc5UuaOWU7GDLhlyyFUCkDdx4eviBAEclWfNSueJNcK1Me
>>pulScGFTAkEA1RoXxsYgFVbZsK1i9hjxEqoWzP7dQBJTWqi/77BaPQvqX12ctVk0
>>pa0sR4XEKxGOBr11XJVlloTjpmm1hwLDyQJBAM25o1IpLhTZIDrgoSE4e0fngzQ9
>>A0m7xYLf1RclGkIuVHbykXn5kVwXVOdDF4OE4cpkPeuV4fUVuplNWCnVUr0CQBWR
>>a4ChwtOGE8hO9ComQhf6gQ5EaU43zJnrZGm09p0hHJqEVf0Ax1RRX57pif4166MA
>>/+Tb9gky7/uCzW2ZuQkCQFUoAhZnV9sQoifQpkCE10J3fZNyNLEvHKU3b4/rwvn7
>>5W618+Fr0DiwBkH07YSWRCVvi8rsYrK2/25DXSbXbD8=
>>-----END RSA PRIVATE KEY-----";
>>
>>const char scert[] =
>>"-----BEGIN CERTIFICATE----- MIICeTCCAeICCQDVIB2PKnpDmjANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC
>>VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdTQU5KT1NFMQ8wDQYDVQQKEwZNQVhY
>>QU4xDDAKBgNVBAsTA0VORzEOMAwGA1UEAxMFY2hvbmcxIzAhBgkqhkiG9w0BCQEW
>>FGNob25ncGVuZ0BtYXh4YW4uY29tMB4XDTA1MTIyMTA0MDcxNloXDTA2MDEyMDA0
>>MDcxNlowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHU0FO
>>Sk9TRTEPMA0GA1UEChMGTUFYWEFOMQwwCgYDVQQLEwNFTkcxDjAMBgNVBAMTBWNo
>>b25nMSMwIQYJKoZIhvcNAQkBFhRjaG9uZ3BlbmdAbWF4eGFuLmNvbTCBnzANBgkq
>>hkiG9w0BAQEFAAOBjQAwgYkCgYEAtEhf+CU6N18337D3jT24JWerM/3/5pVDvwlL
>>QfIZNA0891f/a4lmoK1R46mhf8YpFhbMW8ynnEcgwzcoYDFlfHngFRqSUr5siWR+
>>NzFjtcwogV7ItjEh6kACTn0/NN6k3N7Twm+ZOFCucrb8KUPGSMqJK50CUtBWCrKJ
>>39wEoysCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBX0jTsC73wXYHDhenL2piboCMQ
>>qF96W/YLShYJla3ipc8JG0GHStTjUY4w7KGjDJippRUhddv0CUAilD7EPYusr1oY
>>sk+Tt7QKCSLnued6NZwGnjIV78BmMi5gp5UEotgmPMk6Q6WKl0rVMbiJWqgy9f7b
>>Hk3SUgTCdn/T+ajIFQ==
>>-----END CERTIFICATE-----";
>>
>>
>>int serverKey(void)
>>{
>> BIO *bio;
>>
>> if( (bio=BIO_new_mem_buf((void *)skey, sizeof(skey))) == NULL)
>> {
>> return(-1);
>> }
>>
>> if( (pkey=PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) == NULL)
>> {
>> BIO_free(bio);
>> return(-1);
>> }
>>
>> BIO_free(bio);
>>
>> return(0);
>>}
>>
>>int serverCert(void)
>>{
>>
>> BIO *bio;
>>
>> if( (bio=BIO_new_mem_buf((void *)scert, sizeof(scert))) == NULL)
>> {
>> return(-1);
>> }
>>
>> if( (cert=PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
>> {
>> BIO_free(bio);
>> return(-1);
>> }
>>
>> BIO_free(bio);
>>
>> return(0);
>>
>>}
>>
>>this piece of code worked in the embedded system i am working on, hope this helps.
>>
>>chong peng
>>
>>-----Original Message-----
>>From: Xie Grace Jingru-LJX001 [mailto:[hidden email]]
>>Sent: Thursday, February 09, 2006 9:47 AM
>>To: [hidden email]
>>Subject: Hard-coded keys and cert in the image
>>
>>
>>
>>Hello,
>>
>>If the privkey and cacert have to be hard-coded in the image (by using #define), how can I tell SSL to look into these constants for the key and ce
>rt instead of the default directory? Which SSL routine I need to change to let SSL know the new location of the key and certificate?
>>
>>All suggestions are appreciated...!
>>
>>Grace
>>
>>
>>______________________________________________________________________
>>OpenSSL Project                                 http://www.openssl.org
>>User Support Mailing List                    [hidden email]
>>Automated List Manager                           [hidden email]
>>______________________________________________________________________
>>OpenSSL Project                                 http://www.openssl.org
>>User Support Mailing List                    [hidden email]
>>Automated List Manager                           [hidden email]
>>______________________________________________________________________
>>OpenSSL Project                                 http://www.openssl.org
>>User Support Mailing List                    [hidden email]
>>Automated List Manager                           [hidden email]
>>______________________________________________________________________
>>OpenSSL Project                                 http://www.openssl.org
>>User Support Mailing List                    [hidden email]
>>Automated List Manager                           [hidden email]
>>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]