Getting the peer certificate encoding - Openssl

This is a discussion on Getting the peer certificate encoding - Openssl ; Hi All, I am new to OpenSSL.We have one application which will verify the peer certificate. Problem is our application will verify only DER format certificates. So if i get the peer certificate in PEM format , i will convert ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Getting the peer certificate encoding

  1. Getting the peer certificate encoding

    Hi All,

    I am new to OpenSSL.We have one application which will verify the peer
    certificate.

    Problem is our application will verify only DER format certificates.

    So if i get the peer certificate in PEM format , i will convert that into
    DER and i will verify the peer certificate.

    Is there any openSSL API which will tell me a'out the peer certificate
    encoding ?
    I want to know whether it is in PEM or DER ?

    Thanks in advance,

    Waiting for your reply,

    Aravind.


  2. RE: Getting the peer certificate encoding


    Aravinda Babu wrote:

    > Problem is our application will verify only DER format certificates.


    > So if i get the peer certificate in PEM format , i will convert
    > that into DER and i will verify the peer certificate.


    > Is there any openSSL API which will tell me a'out the peer
    > certificate encoding ?
    > I want to know whether it is in PEM or DER ?


    Is the certificate in a memory buffer or a file? Either way, you can just
    look at the data. If it's PEM, the whole file will be printable text. The
    first few characters will be perhaps some number of newlines or empty
    spaces, but the first non-whitespace should be a '-'. If it's DER, there
    will be many non-printable characters.

    However, it's probably just easiest to try it both ways. If either of them
    works, you have a valid certificate. Just remember to clear the error stack
    after an "expected and normal" error. Otherwise, it might confuse you later
    when you see an "invalid certificate" type error because much earlier it
    worked on the second attempt.

    DS


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: Getting the peer certificate encoding

    On Mon, Oct 13, 2008 at 09:35:03PM -0700, David Schwartz wrote:

    >
    > Aravinda Babu wrote:
    >
    > > Problem is our application will verify only DER format certificates.


    What protocol exchange is secured by the "certificate" (private/public
    key pair, with the public key encased in a CA certificate)? In many case
    the protocol already exchanges the "certificate" in binary (DER) form.
    It is appropriate to ask what is happening here and why a certificate
    needs to be verified "out-of-band" and in what sense it is "verified".

    Presumably this is somehow tied to use of the associated private key to
    sign some data, but this is far from clear.

    --
    Viktor.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: Getting the peer certificate encoding

    Hi,

    Is there any openssl API to know this ?I have to use it in a C program.

    Thanks,
    Aravind.

    On Tue, Oct 14, 2008 at 10:05 AM, David Schwartz wrote:

    >
    > Aravinda Babu wrote:
    >
    > > Problem is our application will verify only DER format certificates.

    >
    > > So if i get the peer certificate in PEM format , i will convert
    > > that into DER and i will verify the peer certificate.

    >
    > > Is there any openSSL API which will tell me a'out the peer
    > > certificate encoding ?
    > > I want to know whether it is in PEM or DER ?

    >
    > Is the certificate in a memory buffer or a file? Either way, you can just
    > look at the data. If it's PEM, the whole file will be printable text. The
    > first few characters will be perhaps some number of newlines or empty
    > spaces, but the first non-whitespace should be a '-'. If it's DER, there
    > will be many non-printable characters.
    >
    > However, it's probably just easiest to try it both ways. If either of them
    > works, you have a valid certificate. Just remember to clear the error stack
    > after an "expected and normal" error. Otherwise, it might confuse you later
    > when you see an "invalid certificate" type error because much earlier it
    > worked on the second attempt.
    >
    > DS
    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >



  5. Re: Getting the peer certificate encoding

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Aravinda babu wrote:
    | Hi,
    |
    | Is there any openssl API to know this ?I have to use it in a C program.

    Look into the data.
    If it is a DER encoded X509 cert,
    the first 3 bytes are 0x30,0x82,0x05


    Goetz

    - --
    DMCA: The greed of the few outweighs the freedom of the many
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFI9lmr2iGqZUF3qPYRAi5lAJ47S7IcVQxMh27tOQWHsN XeJYIyqQCeN1BL
    xcBq92aS64U5yy8Xq3ws1hM=
    =gb24
    -----END PGP SIGNATURE-----
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread