Hard coding keys and certs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Hard coding keys and certs

Alberto Alonso
I would like to be able to hard code the key/cert in the
application instead of having files.

Is there something similar to: SSL_CTX_use_PrivateKey_file
and SSL_CTX_use_PrivateKey_file but that I can use pointers
memory?

If so, how do I convert the current files into that binary
data format?

I would also like to have already in memory the cert chain
for the root cert.

The goal is to distribute a single binary that doesn't depend
on any external files that can verify that it is connecting
to the right server.

Thanks,

Alberto

--
Alberto Alonso                        Global Gate Systems LLC.
(512) 351-7233                        http://www.ggsys.net
Hardware, consulting, sysadmin, monitoring and remote backups

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Hard coding keys and certs

Katie Lucas
On Fri, Feb 03, 2006 at 02:54:38PM -0600, Alberto Alonso wrote:

> I would like to be able to hard code the key/cert in the
> application instead of having files.
>
> Is there something similar to: SSL_CTX_use_PrivateKey_file
> and SSL_CTX_use_PrivateKey_file but that I can use pointers
> memory?
>
> If so, how do I convert the current files into that binary
> data format?
>
> I would also like to have already in memory the cert chain
> for the root cert.
>
> The goal is to distribute a single binary that doesn't depend
> on any external files that can verify that it is connecting
> to the right server.


SSL_CTX_use_PrivateKey_ASN1 takes a pointer to char* and a length.

Although, all that does is call d2i_PrivateKey and then
SSL_CTX_use_PrivateKey and error check everything... d2i_* takes a DER
encoded something and returns the internal version.

So you can, at compile time, build a small app which will read a
key/certificate/etc and use an i2d_* routine to DER encode it, dropping
that into a file. The file you run through a quick filter to turn into
a suitable include file making the binary data a character
array. ("od" may help doing this with the right options, or failing
that a quick perl script).

Then you can just use the pointer to that into d2i_PrivateKey then
SSL_CTX_use_PrivateKey at runtime.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Hard coding keys and certs

Peter Sylvester-3
like     openssl x509 -C
> So you can, at compile time, build a small app which will read a
> key/certificate/etc and use an i2d_* routine to DER encode it, dropping
> that into a file. The file you run through a quick filter to turn into
> a suitable include file making the binary data a character
> array. ("od" may help doing this with the right options, or failing
> that a quick perl script).
>
> T
ture, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Hard coding keys and certs

Alberto Alonso
In reply to this post by Katie Lucas
Thanks, this is exactly what I was looking for.

And thanks also to Peter for pointing out the already
built options openssl x509 -C
which produce the perfect C stub code.

Alberto

On Mon, 2006-02-06 at 10:04 +0000, Katie Lucas wrote:

> On Fri, Feb 03, 2006 at 02:54:38PM -0600, Alberto Alonso wrote:
> > I would like to be able to hard code the key/cert in the
> > application instead of having files.
> >
> > Is there something similar to: SSL_CTX_use_PrivateKey_file
> > and SSL_CTX_use_PrivateKey_file but that I can use pointers
> > memory?
> >
> > If so, how do I convert the current files into that binary
> > data format?
> >
> > I would also like to have already in memory the cert chain
> > for the root cert.
> >
> > The goal is to distribute a single binary that doesn't depend
> > on any external files that can verify that it is connecting
> > to the right server.
>
>
> SSL_CTX_use_PrivateKey_ASN1 takes a pointer to char* and a length.
>
> Although, all that does is call d2i_PrivateKey and then
> SSL_CTX_use_PrivateKey and error check everything... d2i_* takes a DER
> encoded something and returns the internal version.
>
> So you can, at compile time, build a small app which will read a
> key/certificate/etc and use an i2d_* routine to DER encode it, dropping
> that into a file. The file you run through a quick filter to turn into
> a suitable include file making the binary data a character
> array. ("od" may help doing this with the right options, or failing
> that a quick perl script).
>
> Then you can just use the pointer to that into d2i_PrivateKey then
> SSL_CTX_use_PrivateKey at runtime.
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
--
Alberto Alonso                        Global Gate Systems LLC.
(512) 351-7233                        http://www.ggsys.net
Hardware, consulting, sysadmin, monitoring and remote backups

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]