Simple question: Maximum length of PEM file?

Kenneth Goldman wrote

Is that possible in general?  There's no maximum key size
or signature size, and certificates can have extensions.

I typically read the file size first, then allocate memory, then
read the file.

In general, hard coding a maximum length is used to enable a
buffer overflow attack.  :-)

owner-openssl-users@openssl.org wrote on 07/26/2011 07:38:12 AM:

> From: Katif <yizhar@gmail.com>
> To: openssl-users@openssl.org
> Date: 07/26/2011 09:17 AM
>
> I need to know in advance the maximum length of the following three PEM
> formatted files (excluding the -----BEGIN/END lines):
>
> Private key file, Certificate file, CA certificate file.
>
> For example - the following file has 68 characters length:
>
> -----BEGIN CERTIFICATE-----
> MIIDCDCCAfACCQDhtkeHC+WN+DANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJQ
> TD
> -----END CERTIFICATE-----

JoelKatz wrote

On 7/26/2011 4:38 AM, Katif wrote:

> I need to know in advance the maximum length of the following three PEM
> formatted files (excluding the -----BEGIN/END lines):

It's application-dependent. There is no answer in general.

DS

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org

Wim Lewis-3 wrote

On 26 Jul 2011, at 10:16 PM, Katif wrote:
> Can you tell me what are the application dependency factor here so we'll be
> able to chase a limit?
>
> It is used as an RSA key exchange certification/private key pairing.
>
> Thanks...


The two things that are variable size are the key material itself, and the many fields that can occur in a certificate. A private key file just has key material, so its size should be proportional to the key size in bits (plus constant overhead); a certificate has key material for the key it represents, a signature from the issuer's key (which may have a size dependent on that key's size), and an arbitrary collection of other data that can be incorporated into the certificate when it's created (such as the name or address of the subject, or a list of permitted/forbidden uses, CRL distribution points, legal boilerplate, etc). I don't think there's any limit to the amount of extension data that can be included in a certificate, though in practice it's rarely more than a few kilobytes.

I'd suggest parsing a handful of files using "openssl asn1parse" to get an idea of what's in there and how large each thing is. The sizes and offsets that asn1parse gives you refer to the DER-encoded file; a PEM-encoded file has four bytes for every three of DER, plus another few percent overhead for line endings.

As Kenneth Goldman says, though, you need to consider what will happen when you encounter a certificate larger than you expect, because it *will* happen.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org