Simple question: Maximum length of PEM file?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Simple question: Maximum length of PEM file?

Katif
Hi,

I need to know in advance the maximum length of the following three PEM formatted files (excluding the -----BEGIN/END lines):

Private key file, Certificate file, CA certificate file.

For example - the following file has 68 characters length:

-----BEGIN CERTIFICATE-----
MIIDCDCCAfACCQDhtkeHC+WN+DANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJQ
TD
-----END CERTIFICATE-----



Thanks..
Reply | Threaded
Open this post in threaded view
|

Re: Simple question: Maximum length of PEM file?

Kenneth Goldman
Is that possible in general?  There's no maximum key size
or signature size, and certificates can have extensions.

I typically read the file size first, then allocate memory, then
read the file.

In general, hard coding a maximum length is used to enable a
buffer overflow attack.  :-)

[hidden email] wrote on 07/26/2011 07:38:12 AM:

> From: Katif <[hidden email]>

> To: [hidden email]
> Date: 07/26/2011 09:17 AM
>
> I need to know in advance the maximum length of the following three PEM
> formatted files (excluding the -----BEGIN/END lines):
>
> Private key file, Certificate file, CA certificate file.
>
> For example - the following file has 68 characters length:
>
> -----BEGIN CERTIFICATE-----
> MIIDCDCCAfACCQDhtkeHC+WN+DANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJQ
> TD
> -----END CERTIFICATE-----

Reply | Threaded
Open this post in threaded view
|

Re: Simple question: Maximum length of PEM file?

Katif
Thanks for the replu, Kenneth,

I need to store the certification, private key and CA certification in a non-volatile memory, and we're quite out of room in flash space...

Can you think about a practical limit for those sizes? (can't dynamically calculate it, the place on flash need to be reserved for it)

If you're aware about any other trick to decrease the size of those PEM string keys then you're more than welcome to suggest,

Thanks again.



Kenneth Goldman wrote
Is that possible in general?  There's no maximum key size
or signature size, and certificates can have extensions.

I typically read the file size first, then allocate memory, then
read the file.

In general, hard coding a maximum length is used to enable a
buffer overflow attack.  :-)

owner-openssl-users@openssl.org wrote on 07/26/2011 07:38:12 AM:

> From: Katif <yizhar@gmail.com>
> To: openssl-users@openssl.org
> Date: 07/26/2011 09:17 AM
>
> I need to know in advance the maximum length of the following three PEM
> formatted files (excluding the -----BEGIN/END lines):
>
> Private key file, Certificate file, CA certificate file.
>
> For example - the following file has 68 characters length:
>
> -----BEGIN CERTIFICATE-----
> MIIDCDCCAfACCQDhtkeHC+WN+DANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJQ
> TD
> -----END CERTIFICATE-----
Reply | Threaded
Open this post in threaded view
|

Re: Simple question: Maximum length of PEM file?

JoelKatz
In reply to this post by Katif
On 7/26/2011 4:38 AM, Katif wrote:

> I need to know in advance the maximum length of the following three PEM
> formatted files (excluding the -----BEGIN/END lines):

It's application-dependent. There is no answer in general.

DS

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Simple question: Maximum length of PEM file?

Katif
Can you tell me what are the application dependency factor here so we'll be able to chase a limit?

It is used as an RSA key exchange certification/private key pairing.

Thanks...

JoelKatz wrote
On 7/26/2011 4:38 AM, Katif wrote:

> I need to know in advance the maximum length of the following three PEM
> formatted files (excluding the -----BEGIN/END lines):

It's application-dependent. There is no answer in general.

DS

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
Reply | Threaded
Open this post in threaded view
|

Re: Simple question: Maximum length of PEM file?

Wim Lewis-3

On 26 Jul 2011, at 10:16 PM, Katif wrote:
> Can you tell me what are the application dependency factor here so we'll be
> able to chase a limit?
>
> It is used as an RSA key exchange certification/private key pairing.
>
> Thanks...


The two things that are variable size are the key material itself, and the many fields that can occur in a certificate. A private key file just has key material, so its size should be proportional to the key size in bits (plus constant overhead); a certificate has key material for the key it represents, a signature from the issuer's key (which may have a size dependent on that key's size), and an arbitrary collection of other data that can be incorporated into the certificate when it's created (such as the name or address of the subject, or a list of permitted/forbidden uses, CRL distribution points, legal boilerplate, etc). I don't think there's any limit to the amount of extension data that can be included in a certificate, though in practice it's rarely more than a few kilobytes.

I'd suggest parsing a handful of files using "openssl asn1parse" to get an idea of what's in there and how large each thing is. The sizes and offsets that asn1parse gives you refer to the DER-encoded file; a PEM-encoded file has four bytes for every three of DER, plus another few percent overhead for line endings.

As Kenneth Goldman says, though, you need to consider what will happen when you encounter a certificate larger than you expect, because it *will* happen.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Simple question: Maximum length of PEM file?

JoelKatz
In reply to this post by Katif
On 7/26/2011 10:16 PM, Katif wrote:
>
> Can you tell me what are the application dependency factor here so we'll be
> able to chase a limit?
>
> It is used as an RSA key exchange certification/private key pairing.
>
> Thanks...

Maximum RSA key size supported.
Extensions supported.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Simple question: Maximum length of PEM file?

Katif
In reply to this post by Wim Lewis-3
Thanks Wim, for your kind & informative answer.



Wim Lewis-3 wrote
On 26 Jul 2011, at 10:16 PM, Katif wrote:
> Can you tell me what are the application dependency factor here so we'll be
> able to chase a limit?
>
> It is used as an RSA key exchange certification/private key pairing.
>
> Thanks...


The two things that are variable size are the key material itself, and the many fields that can occur in a certificate. A private key file just has key material, so its size should be proportional to the key size in bits (plus constant overhead); a certificate has key material for the key it represents, a signature from the issuer's key (which may have a size dependent on that key's size), and an arbitrary collection of other data that can be incorporated into the certificate when it's created (such as the name or address of the subject, or a list of permitted/forbidden uses, CRL distribution points, legal boilerplate, etc). I don't think there's any limit to the amount of extension data that can be included in a certificate, though in practice it's rarely more than a few kilobytes.

I'd suggest parsing a handful of files using "openssl asn1parse" to get an idea of what's in there and how large each thing is. The sizes and offsets that asn1parse gives you refer to the DER-encoded file; a PEM-encoded file has four bytes for every three of DER, plus another few percent overhead for line endings.

As Kenneth Goldman says, though, you need to consider what will happen when you encounter a certificate larger than you expect, because it *will* happen.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org