reading DER format public keys

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

reading DER format public keys

Michael Richardson

The PEM_* routines, as documented at:
    https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html
do not claim to read DER format input. (Actually they don't say anything about DER).
Ruby's library uses:
    pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);

It's documentation claims it read DER, which either it's wrong, or the
underlying ruby extension or SSL code has changed.

There must be a way to read DER format public keys.
I'm suspecting that maybe the magic is in the way the BIO is created?
(FAQ question PROG03, hints this for PKCS7 processing).

Going to read the source code.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: reading DER format public keys

OpenSSL - User mailing list
➢ pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);
   
That only reads PEM files.  If docs say otherwise, they are wrong.

➢ There must be a way to read DER format public keys.

A raw public key?  Or a cert?  Or a pkcs object?  Anyhow, doc/man3/d2i_X509.pod in master.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: reading DER format public keys

Robert Moskowitz
In reply to this post by Michael Richardson


On 09/15/2017 11:57 AM, Michael Richardson wrote:

> The PEM_* routines, as documented at:
>      https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html
> do not claim to read DER format input. (Actually they don't say anything about DER).
> Ruby's library uses:
>      pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);
>
> It's documentation claims it read DER, which either it's wrong, or the
> underlying ruby extension or SSL code has changed.
>
> There must be a way to read DER format public keys.
> I'm suspecting that maybe the magic is in the way the BIO is created?
> (FAQ question PROG03, hints this for PKCS7 processing).

I had problems with DER using the command line options.  I can create,
and display a DER keypair, a CSR, a self-signed cert.  I cannot use a
CSR to make a cert where everything is DER.  So something is missing
somewhere.  If you search back a bit, you will find my postings on this
with the error messages I got.

> Going to read the source code.

You are better man than I...

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: reading DER format public keys

Viktor Dukhovni
In reply to this post by Michael Richardson
On Fri, Sep 15, 2017 at 11:57:17AM -0400, Michael Richardson wrote:

>     pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);

> There must be a way to read DER format public keys.
> I'm suspecting that maybe the magic is in the way the BIO is created?
> (FAQ question PROG03, hints this for PKCS7 processing).

The function you're looking for is d2i_PUBKEY(3).  See for example:

    https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L344

which parses public keys from "TLSA ? 1 0 <keyblob>" records, which
have a DER encoding of the X.509 SubjectPublicKeyInfo (SPKI) in
the associated-data (4th) RData field.

It is the DER analogue of PEM_read_bio_PUBKEY.  With few exceptions,
you can s/PEM_READ_bio/d2i/ to go from reading PEM to reading DER.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: reading DER format public keys

Michael Richardson

Viktor Dukhovni <[hidden email]> wrote:
    > On Fri, Sep 15, 2017 at 11:57:17AM -0400, Michael Richardson wrote:

    >> pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);

    >> There must be a way to read DER format public keys.
    >> I'm suspecting that maybe the magic is in the way the BIO is created?
    >> (FAQ question PROG03, hints this for PKCS7 processing).

    > The function you're looking for is d2i_PUBKEY(3).  See for example:

    > https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L344

Once I realized what this does, I then realized that it wasn't about just
about doing something to setup the bio.... then I realized that the ruby
interface was in fact calling that.

*THEN* I realized I was feeding a certificate blob into a PK routine, and
that was really the problem.

    > It is the DER analogue of PEM_read_bio_PUBKEY.  With few exceptions,
    > you can s/PEM_READ_bio/d2i/ to go from reading PEM to reading DER.

It would be great if there were cross-references...

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: reading DER format public keys

Viktor Dukhovni

> On Sep 15, 2017, at 6:24 PM, Michael Richardson <[hidden email]> wrote:
>
>> It is the DER analogue of PEM_read_bio_PUBKEY.  With few exceptions,
>> you can s/PEM_READ_bio/d2i/ to go from reading PEM to reading DER.
>
> It would be great if there were cross-references...

I should note that the PEM_read_bio routines read data from a file,
while the d2i_PUBKEY() routine decodse data from memory.  The
corresponding "read a file" routines are:

        d2i_PUBKEY_bio()
and     d2i_PUBKEY_fp()

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users