RE: X509* and Extract Public Key?

Mon, 11 Feb 2013 14:20:09 -0800 

> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni
> Sent: Monday, 11 February, 2013 00:41

> On Mon, Feb 11, 2013 at 12:01:49AM -0500, Jeffrey Walton wrote:
> 
> > >> I'm trying to extract a public key (subjectPublicKeyInfo) 
> > >> form an X509 certificate.
> > >
> > > from apps/x509.c in the openssl source:
> > >
> > >         EVP_PKEY *pkey;
> > >
> > >         pkey=X509_get_pubkey(x);
> 
> This is not the subjectPublicKeyInfo. It is just the key bits, sans
> algorithm and parameters.  A common pitfall is to mistake this for
> the subjectPublicKeyInfo or to assume that X509_pubkey_digest()
> returns the digest of the subjectPublicKeyInfo.
> 
Not really. EVP_PKEY has the algorithm, parameters if any, and key 
pulled apart and converted to OpenSSL form, but they are all there.

Yes, X509_pubkey_digest is the digest of only the "actual key" 
bitstring, as required for SKI (and AKI), not the whole pubkeyinfo.
It works directly on the cert->key->public_key (bitstring) and has 
no relationship to X509_get_pubkey except a similar name.

> > Is there anything built into OpenSSL to write out a DER encoding of
> > subjectPublicKeyInfo?

>     X509   *cert
>     int     len;
>     char   *buf;
>     char   *buf2;
> 
>     len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
>     buf2 = buf = OPENSSL_malloc(len);
>     if (buff == NULL) {
Obviously should be buf or buf2.

>       /* Out of memory */
>       ... report the error ...
>     }
>     i2d_X509_PUBKEY(X509_get_X509_PUBKEY(peercert), (unsigned 
> char **)&buf2);
Obviously should be cert. I would just make buf and buf2 
unsigned char* in the first place; they point to DER data 
which should not be treated as text anyway (i.e. should not 
be puts() or strlen() or strcmp() etc.)

>     if (buf2 - buf != len) {
>       /* Should never happen: unexpected encoded length */
>       OPENSSL_free(buf);
>       ... report the error ...
>     }

To "write out" to a file, don't need to manage a buffer explicitly, 
can just i2d_X509_PUBKEY_{fp,bio} in one step.

Also i2d_$alg?PUBKEY (and PEM_write_$alg?PUBKEY) write pubkeyinfo 
from several OpenSSL internal structs including EVP_PKEY. But to 
just take existing info from a cert, your approach is more direct.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to